US20210365797A1

US20210365797A1 - Systems and Methods for Debugging Neural Networks with Coverage Guided Fuzzing

Info

Publication number: US20210365797A1
Application number: US17/392,937
Authority: US
Inventors: Augustus Quadrozzi Odena
Original assignee: Google LLC
Current assignee: Google LLC
Priority date: 2018-05-18
Filing date: 2021-08-03
Publication date: 2021-11-25
Also published as: WO2019222656A1; US11080603B2; CN112119410A; US20190354870A1; EP3782082A1

Abstract

The present disclosure provides systems and methods for debugging neural networks. In one example, a computer-implemented method is provided, which includes obtaining, by one or more computing devices, one or more inputs from an input corpus. The method further includes mutating, by the one or more computing devices, the one or more inputs and providing the one or more mutated inputs to a neural network; obtaining, by the one or more computing devices as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays; determining, by the one or more computing devices based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage; and upon determining that the one or more mutated inputs provide new coverage, adding the one or more mutated inputs to the input corpus.

Description

The present application is based on and claims the benefit of U.S. Provisional Application No. 62/673,751 having a filing date of May 18, 2018, which is incorporated by reference herein in its entirety for all purposes.

FIELD

The present disclosure relates generally to machine learned models. More particularly, the present disclosure relates to finding undesirable behavior in neural networks.

BACKGROUND

The use of machine learning models, such as neural networks, is becoming more important in solving a variety of tasks that have traditionally been difficult for a computing system. However, machine learning models are generally difficult to interpret and debug. As machine learning models like neural networks become more prevalent, it becomes more desirable to test neural networks to discover bugs and/or other undesirable behavior before a neural network is implemented in the “real world.”

SUMMARY

Aspects and advantages of embodiments of the present disclosure will be set forth in part in the following description, or can be learned from the description, or can be learned through practice of the embodiments.
One example aspect of the present disclosure is directed to debugging a neural network. The method can include obtaining, by one or more computing devices, one or more inputs from an input corpus. The method can further include mutating, by the one or more computing devices, the one or more inputs. The method can further include providing, by the one or more computing devices, the one or more mutated inputs to a neural network. The method can further include obtaining, by the one or more computing devices as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network. The method can further include determining, by the one or more computing devices based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage. The method can further include upon determining that the one or more mutated inputs provide new coverage, adding, by the one or more computing devices, the one or more mutated inputs to the input corpus.
In some implementations, the method can further include obtaining, by the one or more computing devices as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays that describe metadata associated with execution of the neural network to process the one or more mutated inputs; determining, by the one or more computing devices based at least in part on the set of metadata arrays, whether an objective function is satisfied; and upon determining that the objective function is satisfied, adding, by the one or more computing devices, the one or more mutated inputs to a list of test cases.
Another example aspect of the present disclosure is directed to a computing device. The computing device can include one or more processors and one or more non-transitory computer-readable media that store instructions that, when executed by the one or more processors, cause the computing device to perform operations. The instructions, when executed, can cause the computing device to obtain one or more inputs from an input corpus. The instructions, when executed, can further cause the computing device to mutate the one or more inputs. The instructions, when executed, can further cause the computing device to provide the one or more mutated inputs to a neural network. The instructions, when executed, can further cause the computing device to obtain as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network. The instructions, when executed, can further cause the computing device to determine based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage. The instructions, when executed, can further cause the computing device to, upon determining that the one or more mutated inputs provide new coverage, add the one or more mutated inputs to the input corpus.
In some implementations, the computing device can further include instructions, that when executed, cause the computing device to obtain as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays that describe metadata associated with execution of the neural network to process the one or more mutated inputs; determine based at least in part on the set of metadata arrays, whether an objective function is satisfied; and upon determining that the objective function is satisfied, add the one or more mutated inputs to a list of test cases.
Another example aspect of the present disclosure is directed to one or more non-transitory computer-readable media that store instructions that, when executed by one or more processors of a computing system, cause the computing system to perform operations. The operations include obtaining one or more inputs from an input corpus. The operations further include mutating the one or more inputs. The operations further include providing the one or more mutated inputs to a neural network. The operations further include obtaining, as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays that describe metadata associated with execution of the neural network to process the one or more mutated inputs. The operations further include determining, based at least in part on the set of metadata arrays, whether an objective function is satisfied. The operations further include upon determining that the objective function is satisfied, add the one or more mutated inputs to a list of test cases.
In some implementations, the one or more non-transitory computer-readable media can store instructions that, when executed by one or more processors of a computing system, cause the computing system to obtain, as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network; determine, based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage; and upon determining that the one or more mutated inputs provide new coverage, add the one or more mutated inputs to the input corpus.

BRIEF DESCRIPTION OF THE DRAWINGS

Detailed discussion of embodiments directed to one of ordinary skill in the art is set forth in the specification, which makes reference to the appended figures, in which:

FIG. 1 depicts a block diagram of an example computing system that can be used with machine learning models according to example embodiments of the present disclosure.

FIG. 2 depicts a block diagram of an example coverage guided fuzzing system according to example embodiments of the present disclosure.

FIG. 3 depicts a flow chart diagram of example operations to perform neural network debugging according to example embodiments of the present disclosure.

Reference numerals that are repeated across plural figures are intended to identify the same features in various implementations.

DETAILED DESCRIPTION

Overview
Generally, the present disclosure is directed to machine-learned models, such as neural networks. In particular, the systems and methods of the present disclosure can provide for testing neural networks to find bugs and/or other undesirable behavior, for example, before a neural network is deployed. According to an aspect of the present disclosure, coverage guided fuzzing can be applied to neural networks to allow for debugging of the neural networks. For example, in some implementations, coverage guided fuzzing can be applied to neural networks to provide for finding numerical errors in trained neural networks, generating disagreements between neural networks and quantized versions of those networks, surfacing undesirable behavior in models (e.g., character level language models, etc.), and/or the like.
Machine learning models can be difficult to debug or interpret for a variety of reasons, ranging from the conceptual difficulty of specifying what the user wishes to know about the model in formal terms to statistical and computational difficulties in obtaining answers to formally specified questions. Neural networks can be particularly difficult to debug because even relatively straightforward formal questions about them can be computationally expensive to answer and because software implementations of neural networks can deviate significantly from theoretical models.
In general, coverage guided fuzzing provides for maintaining an input corpus comprising inputs to a program under consideration. Random changes are made to those inputs according to some mutation procedure, and the mutated inputs are added to an input corpus when they exercise new coverage (e.g., causing code to execute in a different way than previously seen, etc.).
The systems and methods of the present disclosure provide for inputting random mutations of inputs to a neural network where the mutations are guided by a coverage metric toward the goal of satisfying user-specified constraints. According to an aspect of the present disclosure, coverage can be measured by analyzing the activation vectors of the neural network coverage graph. For example, in some implementations, new coverage can be determined based on whether the neural network has resulted in a state that the neural network has not reached previously, such that the new coverage helps to provide incremental progress in debugging.
As one example, fast approximate nearest neighbor algorithms can be used to determine if two sets of neural network ‘activations’ are meaningfully different from each other. This provides a coverage metric producing useful results for neural networks, even when the underlying implementation of the neural network does not make use of many data-dependent branches. For example, in some implementations, the activations (or some subset of them) associated with each input can be stored and checked to determine whether coverage has increased on a given input by using an approximate nearest neighbors algorithm to see whether there are any other sets of activations within a pre-specified distance.
According to an aspect of the present disclosure, in some implementations, coverage guided fuzzing of a neural network can start with a seed corpus containing at least one set of inputs for the computation graph. The inputs can be restricted to those inputs that are in some sense valid neural network inputs. For example, if the inputs are images, the inputs can be restricted to those inputs that have the correct size and shape, and that lie in the same interval as the input pixels of the dataset under consideration. As another example, if the inputs are sequences of characters, inputs can be restricted to characters that are in the vocabulary extracted from the training set.
Given this seed corpus, until instructed to stop or some other stopping criterion in met, the neural network debugging system can choose elements from the input corpus according to some heuristic (e.g., uniform random selection, some defined probability heuristic, etc.). Given this input, the neural network debugging system can perform some sort of modification to that input. For example, the modification can be as simple as just flipping the sign of an input pixel in an image. Additionally or alternatively, it can also be restricted to follow some kind of constraint on the total modification made to a corpus element over time. The mutated inputs can then be fed to the neural network. In some implementations, two things can be extracted from the neural network: a set of coverage arrays, from which the actual coverage can be computed, and a set of metadata arrays, from which the result of the objective function can be computed. For example, the coverage arrays can describe which neurons of the neural network were activated during processing of the input, and therefore may be referred to as or used to generate an “activation vector.” As another example, the metadata array can describe a behavior, output, result, prediction, outcome, timings, statistics, run times, memory consumption, processor usage, and/or other metadata associated with execution of the neural network to process the input. Once the coverage and/or objective is computed, the mutated input can be added to the corpus if it exercises new coverage, and/or it can be added to a list of test cases if it causes the objective function the be satisfied.
For example, an objective function can be used to assess whether some particular state (e.g., an erroneous state, etc.) has been reached. The objective function can be applied to the metadata arrays and inputs that caused the objective to be satisfied can be flagged. The neural network debugging system can determine whether the coverage provided by the mutated input is new coverage (e.g., whether the neural network has reached a state that it has not reached previously, etc.) based on the coverage arrays. For example, in some implementations, when a new activation vector is received, its nearest neighbor can be determined (e.g., through performance of an approximate nearest neighbors algorithm) and checked for how far away the nearest neighbor is (e.g., in Euclidean distance). The input can be added to the corpus if the distance is greater than some defined amount.
In some implementations, the input mutations can be performed as a batch and the batch of inputs can be fed to the computation graph. The coverage and objective function can then be checked on a batch of output arrays.
Reference now will be made in detail to embodiments, one or more examples of which are illustrated in the drawings. Each example is provided by way of explanation of the embodiments, not limitation of the present disclosure. In fact, it will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments without departing from the scope or spirit of the present disclosure. For instance, features illustrated or described as part of one embodiment can be used with another embodiment to yield a still further embodiment. Thus, it is intended that aspects of the present disclosure cover such modifications and variations.

Example Devices and Systems

FIG. 1 depicts a block diagram of an example computing system 100 that provides for the use of machine learning according to example embodiments of the present disclosure. The system 100 includes a user computing device 102, a server computing system 130, and a training computing system 150 that are communicatively coupled over a network 180.
The user computing device 102 can be any type of computing device, such as, for example, a personal computing device (e.g., laptop or desktop), a mobile computing device (e.g., smartphone or tablet), a gaming console or controller, a wearable computing device, an embedded computing device, or any other type of computing device.
The user computing device 102 includes one or more processors 112 and a memory 114. The one or more processors 112 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, a FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. The memory 114 can include one or more non-transitory computer-readable storage mediums, such as RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. The memory 114 can store data 116 and instructions 118 which are executed by the processor 112 to cause the user computing device 102 to perform operations.
In some implementations, the user computing device 102 can store or include one or more machine-learned models 120. For example, the machine-learned models 120 can be or can otherwise include various machine-learned models such as neural networks (e.g., deep neural networks) or other types of machine-learned models, including non-linear models and/or linear models. Neural networks can include feed-forward neural networks, recurrent neural networks (e.g., long short-term memory recurrent neural networks), convolutional neural networks or other forms of neural networks.
In some implementations, the one or more machine-learned models 120 can be received from the server computing system 130 over network 180, stored in the user computing device memory 114, and then used or otherwise implemented by the one or more processors 112. In some implementations, the user computing device 102 can implement multiple parallel instances of a single machine-learned model 120.
Additionally or alternatively, one or more machine-learned models 140 can be included in or otherwise stored and implemented by the server computing system 130 that communicates with the user computing device 102 according to a client-server relationship. For example, the machine-learned models 140 can be implemented by the server computing system 140 as a portion of a cloud based service. Thus, one or more models 120 can be stored and implemented at the user computing device 102 and/or one or more models 140 can be stored and implemented at the server computing system 130.
The user computing device 102 can also include one or more user input component 122 that receives user input. For example, the user input component 122 can be a touch-sensitive component (e.g., a touch-sensitive display screen or a touch pad) that is sensitive to the touch of a user input object (e.g., a finger or a stylus). The touch-sensitive component can serve to implement a virtual keyboard. Other example user input components include a microphone, a traditional keyboard, or other means by which a user can provide user input.
The server computing system 130 includes one or more processors 132 and a memory 134. The one or more processors 132 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, a FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. The memory 134 can include one or more non-transitory computer-readable storage mediums, such as RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. The memory 134 can store data 136 and instructions 138 which are executed by the processor 132 to cause the server computing system 130 to perform operations.
In some implementations, the server computing system 130 includes or is otherwise implemented by one or more server computing devices. In instances in which the server computing system 130 includes plural server computing devices, such server computing devices can operate according to sequential computing architectures, parallel computing architectures, or some combination thereof.
As described above, the server computing system 130 can store or otherwise include one or more machine-learned models 140. For example, the models 140 can be or can otherwise include various machine-learned models. Example machine-learned models include neural networks or other multi-layer non-linear models. Example neural networks include feed forward neural networks, deep neural networks, recurrent neural networks, and convolutional neural networks.
In some implementations, the server computing system 130 can further include a neural network debugging system 142, such as described herein with regard to FIG. 2. For example, the neural network debugging system 142 can provide for performing coverage guided fuzzing using a corpus of inputs, for instance, to provide for testing neural networks, such as to discover errors which may occur for rare inputs.
The user computing device 102 and/or the server computing system 130 can train the models 120 and/or 140 via interaction with the training computing system 150 that is communicatively coupled over the network 180. The training computing system 150 can be separate from the server computing system 130 or can be a portion of the server computing system 130.
The training computing system 150 includes one or more processors 152 and a memory 154. The one or more processors 152 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, a FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. The memory 154 can include one or more non-transitory computer-readable storage mediums, such as RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. The memory 154 can store data 156 and instructions 158 which are executed by the processor 152 to cause the training computing system 150 to perform operations. In some implementations, the training computing system 150 includes or is otherwise implemented by one or more server computing devices.
The training computing system 150 can include a model trainer 160 that trains the machine-learned models 120 and/or 140 stored at the user computing device 102 and/or the server computing system 130 using various training or learning techniques, such as, for example, backwards propagation of errors. In some implementations, performing backwards propagation of errors can include performing truncated backpropagation through time. The model trainer 160 can perform a number of generalization techniques (e.g., weight decays, dropouts, etc.) to improve the generalization capability of the models being trained. In particular, the model trainer 160 can train the machine-learned models 120 and/or 140 based on a set of training data 162.
In some implementations, if the user has provided consent, the training examples can be provided by the user computing device 102. Thus, in such implementations, the model 120 provided to the user computing device 102 can be trained by the training computing system 150 on user-specific data received from the user computing device 102. In some instances, this process can be referred to as personalizing the model.
The model trainer 160 includes computer logic utilized to provide desired functionality. The model trainer 160 can be implemented in hardware, firmware, and/or software controlling a general purpose processor. For example, in some implementations, the model trainer 160 includes program files stored on a storage device, loaded into a memory and executed by one or more processors. In other implementations, the model trainer 160 includes one or more sets of computer-executable instructions that are stored in a tangible computer-readable storage medium such as RAM hard disk or optical or magnetic media.
The network 180 can be any type of communications network, such as a local area network (e.g., intranet), wide area network (e.g., Internet), or some combination thereof and can include any number of wired or wireless links. In general, communication over the network 180 can be carried via any type of wired and/or wireless connection, using a wide variety of communication protocols (e.g., TCP/IP, HTTP, SMTP, FTP), encodings or formats (e.g., HTML, XML), and/or protection schemes (e.g., VPN, secure HTTP, SSL).
FIG. 1 illustrates one example computing system that can be used to implement the present disclosure. Other computing systems can be used as well. For example, in some implementations, the user computing device 102 can include the model trainer 160 and the training dataset 162. In such implementations, the models 120 can be both trained and used locally at the user computing device 102. In some of such implementations, the user computing device 102 can implement the model trainer 160 to personalize the models 120 based on user-specific data.

Example Debugging System Arrangement

FIG. 2 depicts a block diagram of an example neural network debugging system 200 using coverage guided fuzzing according to example embodiments of the present disclosure. In some implementations, the neural network debugging system 200 can provide for performing coverage guided fuzzing using a corpus of inputs, for example, to provide for testing neural networks, such as to discover errors which may occur for rare inputs. The neural network debugging system 200 can allow for guiding mutations to corpus inputs by a coverage metric to work toward a goal of satisfying user-specified constraints (e.g., random changes are made to inputs according to some mutation procedure and the mutated inputs are added to an input corpus when they exercise new coverage). As an example, coverage can be measured by analyzing the activation vectors of the neural network coverage graph. For instance, in some implementations, new coverage can be determined based on whether the neural network has resulted in a state that the neural network has not reached previously, such that the new coverage helps to provide incremental progress in debugging of the neural network model. For example, in some implementations, coverage guided fuzzing can be applied to neural networks to provide for finding numerical errors in trained neural networks, generating disagreements between neural networks and quantized versions of those networks, surfacing undesirable behavior in models, and/or the like.
As illustrated in FIG. 2, a neural network debugging system 200 can include a coverage guided fuzzer 202 and a seed corpus 220 (e.g., containing at least one set of inputs for the computation graph) which can provide for an initial set of inputs to a coverage guided fuzzer 202 to test a neural network.
The coverage guided fuzzer 202 can obtain (e.g., select) a set of inputs from the seed corpus 220 to provide an input corpus 204, which may comprise all or some subset of inputs included in the seed corpus 220. In some implementations, the inputs can be restricted to some type of valid neural network inputs (e.g., images having a correct size and shape, characters that are in a vocabulary extracted from a training set, etc.). In some implementations, the seed corpus 220 can be supplied by a user and/or can be selected from a set of available seed corpuses. The inputs can be textual inputs, image inputs, audio data inputs, sensor data inputs, and/or various other types of inputs.
The coverage guided fuzzer 202 can include an input chooser 206 that can select input(s) from the input corpus 204 to use during a particular iteration of the coverage guided fuzzing. For example, in some implementations, the input chooser 206 can select inputs using uniform random selection. For example, in some implementations, the input chooser 206 can be biased towards selecting inputs that were more recently added to the input corpus 204. As one example, the input chooser 206 can select inputs using a heuristic such as
$p (c_{k}, t) = \frac{e^{t_{k} - t}}{\sum e^{t_{k} - t}},$
wherein p(c_k, t) gives a probability of choosing an input corpus element c_kat time t where t_kis the time when element c_kwas added to the input corpus. The intuition behind this is that recently sampled inputs are more likely to yield useful new coverage when mutated, but that this advantage decays as time progresses, and thus inputs can be selected as a function of their age.
The input chooser 206 can provide the selected input(s) to a mutator 208. The mutator 208 can apply modifications (e.g., mutations) to the selected input(s) before the inputs are provided to the neural network. For example, in some implementations, the mutator 208 can add white noise of a user-configurable variance to input(s) (e.g., image inputs, etc.). As another example, in some implementations, the mutator 208 can add white noise of a user-configurable variance to the one or more inputs (e.g., image inputs, etc.), wherein a difference between the mutated input and an original input from which the mutated input is descended is constrained to have a user-configurable L_∞ norm. This type of constrained mutation can be useful to find inputs that satisfy some objective function, but are still plausibly of the same “class” as the original input that was used as a seed. In some implementations, the image can be clipped after mutation so that it lies in the same range as the inputs used to train the neural network being debugged.
As another example, in some implementations, such as with text string inputs, one of a set of operations can be uniformly performed at random, including operations such as deleting a character at a random location, adding a character at a random location, substituting a random character at a random location, and/or the like.
The input chooser 206 includes computer logic utilized to provide desired functionality. The input chooser 206 can be implemented in hardware, firmware, and/or software controlling a general purpose processor. For example, in some implementations, the input chooser 206 includes program files stored on a storage device, loaded into a memory and executed by one or more processors. In other implementations, the input chooser 206 includes one or more sets of computer-executable instructions that are stored in a tangible computer-readable storage medium such as RAM hard disk or optical or magnetic media.
The mutator 208 can then provide the mutated input(s) to the neural network 210. The neural network 210 can provide outputs which can include a set of coverage arrays, for which coverage can be computed, and a set of metadata arrays, from which a result of an objective function can be computed. For example, when the mutated inputs are fed into a computation graph, both coverage arrays and metadata arrays are returned as output.
The mutator 208 includes computer logic utilized to provide desired functionality. The mutator 208 can be implemented in hardware, firmware, and/or software controlling a general purpose processor. For example, in some implementations, the mutator 208 includes program files stored on a storage device, loaded into a memory and executed by one or more processors. In other implementations, the mutator 208 includes one or more sets of computer-executable instructions that are stored in a tangible computer-readable storage medium such as RAM hard disk or optical or magnetic media.
The objective function 212 can assess whether the neural network has reached some particular state, for example, a state which may be regarded as erroneous, based on the metadata array(s). An erroneous state may include an incorrect prediction, an execution time greater than a maximum execution time, a processor usage greater than a maximum processor usage, a failure of the neural network to execute, and/or other the existence of other errors or undesirable behavior or performance. In some implementations, the objective function 212 can be specified by a user and/or selected from a set of available objective functions. Generally, the objective function 212 used to assess whether the neural network has reached some particular state can be separate and distinct from some other objective or loss function used to train the neural network. If the objective function 212 is satisfied, the mutated input(s) provided to the neural network can be flagged, such as being added to a list of test cases (e.g., for future debugging, etc.). As an example, when the mutated inputs are fed into a computation graph and metadata arrays are returned as output, the objective function can be applied to the metadata arrays and any mutated inputs that caused the objective function to be satisfied can be flagged.
The coverage analyzer 214 can determine whether the coverage provided by the mutated input(s) is new coverage (e.g., whether the neural network has reached a state that it has not reached previously, etc.) based on the coverage array(s). For example, in some implementations, coverage analyzer 214 can determine whether new coverage is provided based on whether an activation vector is approximately close to a previous activation vector. If the coverage analyzer 214 determines that the mutated input(s) provide new coverage, the mutated input(s) can be added to the input corpus 204, for example, to be used as input(s) in future iterations of debugging and/or the like. For example, an approximate nearest neighbor can be computed for a new activation vector and checked to determine how far away the nearest neighbor is in Euclidean distance from the activation vector. The input can be added to the corpus if the distance is greater than some defined amount (e.g., which can be a user-configurable hyperparameter, an adaptive hyperparameter to adapts over time, and/or a dynamic hyperparameter that changes over time, for example, according to a predetermined schedule). In some implementations, the coverage guided fuzzer 202 can continue to select, mutate, and analyze inputs included in the input corpus 204 until instructed to stop and/or some other stopping criterion in met.
The coverage analyzer 214 includes computer logic utilized to provide desired functionality. The coverage analyzer 214 can be implemented in hardware, firmware, and/or software controlling a general purpose processor. For example, in some implementations, the coverage analyzer 214 includes program files stored on a storage device, loaded into a memory and executed by one or more processors. In other implementations, the coverage analyzer 214 includes one or more sets of computer-executable instructions that are stored in a tangible computer-readable storage medium such as RAM hard disk or optical or magnetic media.
The coverage arrays and/or associated activation vectors may describe whether some or all of the neurons of the neural network were activated during processing of an input. As one example, a coverage array and/or associated activation vector may be limited to describing only whether the logits of the neural network and/or neurons of a layer of the network prior to the logits were activated.
In some implementations, the system 200 can be applied (e.g., in parallel) to two or more different (but potentially related) models to identify disagreements between the models. For example, the two or more different models can be two or more different versions of a base model such as a base model and a quantized version of the base model. To identify disagreements, the same input (e.g., a mutated input) can be provided to the two or more different models and the two or more different outputs of the two or more different models can be analyzed (e.g., according to the objective function 212 and/or the coverage analyzer 214) to detect disagreements or otherwise measure a divergence in the outputs.

Example Methods

FIG. 3 depicts a flow chart diagram of example operations to perform neural network debugging according to example embodiments of the present disclosure. Although FIG. 3 depicts steps performed in a particular order for purposes of illustration and discussion, the methods of the present disclosure are not limited to the particularly illustrated order or arrangement. The various steps of the method 300 can be omitted, rearranged, combined, and/or adapted in various ways without deviating from the scope of the present disclosure.
At 302, a computing system can obtain an input corpus, for example from a seed corpus comprising one or more sets of inputs. For example, a seed corpus can contain at least one set of inputs for the computation graph. The inputs can be restricted to those inputs that are in some sense valid neural network inputs. For example, if the inputs are images, the inputs can be restricted to those inputs that have the correct size and shape, and that lie in the same interval as the input pixels of the dataset under consideration. As another example, if the inputs are sequences of characters, inputs can be restricted to characters that are in the vocabulary extracted from the training set.
At 304, the computing system can select one or more inputs from the input corpus for use in debugging a neural network. For example, the computing system can select one or more inputs from the input corpus based on uniform random selection, based on one or more heuristics (e.g.,
$p (c_{k}, t) = \frac{e^{t_{k} - t}}{\sum e^{t_{k} - t}}$
giving a probability of choosing an input corpus element c_kat time t where t_kis the time when element c_kwas added to the input corpus, etc.), and/or the like.
At 306, the computing system can modify the selected input(s) prior to input to the neural network by performing some type of mutation on the selected input(s). For example, in some implementations, the computing system can perform a simple modification of the input such as flipping a sign of an input. As another example, in some implementations, computing system can restrict the modifications to follow a constraint on the total modification made to a corpus element over time.
At 308, the computing system feed the modified input(s) to the neural network that is to be debugged.
At 310, the computing system can obtain, as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays (e.g., that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network) which can be used to compute the actual coverage exercised by the modified input(s).
At 312, the computing system the computing system can determine whether the mutated input(s) provide new coverage at least in part on the coverage array(s). For example, the computing system can determine that new coverage is provided is the neural network results in a state that it has not been in before. If the mutated input(s) provide new coverage, operation continues to 314. If the mutated input(s) do not provide new coverage, operations continue to 322, where a next input can be analyzed. For example, in some implementations, when a new activation vector is received, its nearest neighbor can be determined and checked for how far away the nearest neighbor is in Euclidean distance. The input can be added to the corpus if the distance is greater than some defined amount.
At 314, the computing system can add the mutated input(s) to the input corpus.
At 316, the computing system, as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays (e.g., that describe metadata associated with execution of the neural network to process the one or more mutated inputs) for use in computing the objective function.
At 318, the computing system can determine whether the objective function is satisfied based at least in part on the metadata array(s). For example, the objective function can assess whether the neural network has reached a particular state, such as state that is regarded as erroneous. For example, the objective function can be applied to the metadata arrays and inputs that cause the objective to be satisfied can be flagged. If the objective function is satisfied, operation continues to 320. If the objective function is not satisfied, operation continues to 322.
At 320, the computing system can add the mutated input to a list of test cases.

Additional Disclosure

The technology discussed herein makes reference to servers, databases, software applications, and other computer-based systems, as well as actions taken and information sent to and from such systems. The inherent flexibility of computer-based systems allows for a great variety of possible configurations, combinations, and divisions of tasks and functionality between and among components. For instance, processes discussed herein can be implemented using a single device or component or multiple devices or components working in combination. Databases and applications can be implemented on a single system or distributed across multiple systems. Distributed components can operate sequentially or in parallel.
While the present subject matter has been described in detail with respect to various specific example embodiments thereof, each example is provided by way of explanation, not limitation of the disclosure. Those skilled in the art, upon attaining an understanding of the foregoing, can readily produce alterations to, variations of, and equivalents to such embodiments. Accordingly, the subject disclosure does not preclude inclusion of such modifications, variations and/or additions to the present subject matter as would be readily apparent to one of ordinary skill in the art. For instance, features illustrated or described as part of one embodiment can be used with another embodiment to yield a still further embodiment. Thus, it is intended that the present disclosure cover such alterations, variations, and equivalents.

Claims

1.-20. (canceled)

21. A computer-implemented method for debugging a neural network, the method comprising:

obtaining, by one or more computing devices, one or more inputs from an input corpus;

mutating, by the one or more computing devices, the one or more inputs to generate one or more mutated inputs, wherein the one or more mutated inputs are constrained to have a same class as the one or more inputs;

providing, by the one or more computing devices, the one or more mutated inputs to a neural network;

obtaining, by the one or more computing devices as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network;

determining, by the one or more computing devices based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage; and

upon determining that the one or more mutated inputs provide new coverage, adding, by the one or more computing devices, the one or more mutated inputs to the input corpus.

22. The method of claim 21, further comprising:

obtaining, by the one or more computing devices as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays that describe metadata associated with execution of the neural network to process the one or more mutated inputs;

determining, by the one or more computing devices based at least in part on the set of metadata arrays, whether an objective function is satisfied; and

upon determining that the objective function is satisfied, adding, by the one or more computing devices, the one or more mutated inputs to a list of test cases.

23. The method of claim 21, wherein determining, by the one or more computing devices based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage comprises:

generating, by the one or more computing devices, an activation vector based at least in part on the set of coverage arrays;

performing, by the one or more computing devices, an approximate nearest neighbors algorithm to identify a previous activation vector;

determining, by the one or more computing devices, a distance between the activation vector and the previous activation vector identified by the approximate nearest neighbors algorithm; and

comparing, by the one or more computing devices, the distance to a threshold distance;

wherein the one or more mutated inputs provide new coverage when the distance is greater than the threshold distance.

24. The method of claim 21, wherein obtaining one or more inputs from the input corpus comprises using uniform random selection to select the one or more inputs from the input corpus.

25. The method of claim 21, wherein obtaining one or more inputs from the input corpus comprises selecting the one or more inputs from the input corpus using a heuristic of

p (c_{k}, t) = \frac{e^{t_{k} - t}}{\sum e^{t_{k} - t}},

wherein p(c_k, t) gives a probability of choosing input corpus element c_kat time t where t_kis the time when element c_kwas added to the input corpus.

26. The method of claim 21, wherein mutating the one or more inputs comprises mutating the one or more inputs subject to a constraint, wherein the constraint comprises a L_∞ norm.

27. The method of claim 26, wherein the L_∞ norm is specified by a user.

28. The method of claim 21, wherein determining whether the one or more mutated inputs provide new coverage comprises determining whether the neural network has reached a new state that it has not previously reached.

29. The method of claim 28, wherein determining whether the neural network has reached a new state that it has not previously reached comprises determining whether an activation vector is approximately close to a previous activation vector.

30. The method of claim 22, wherein determining whether the objective function is satisfied comprises determining whether the neural network has reached a desired state.

31. The method of claim 30, wherein the desired state is an erroneous state for the neural network.

32. A computing device comprising:

one or more processors; and

one or more non-transitory computer-readable media that store instructions that, when executed by the one or more processors, cause the computing device to:

obtain one or more inputs from an input corpus;

mutate the one or more inputs to generate one or more mutated inputs, wherein the one or more mutated inputs are constrained to have a same class as the one or more inputs;

provide the one or more mutated inputs to a neural network;

obtain as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network;

determine based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage; and

upon determining that the one or more mutated inputs provide new coverage, add the one or more mutated inputs to the input corpus.

33. The computing device of claim 32, further comprising instructions, that when executed, cause the computing device to:

obtain as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays that describe metadata associated with execution of the neural network to process the one or more mutated inputs;

determine based at least in part on the set of metadata arrays, whether an objective function is satisfied; and

upon determining that the objective function is satisfied, add the one or more mutated inputs to a list of test cases.

34. The computing device of claim 32, further comprising instructions, that when executed, cause the computing device to:

obtain the input corpus from a seed corpus, the seed corpus containing at least one set of inputs.

35. The computing device of claim 32, wherein obtaining one or more inputs from the input corpus comprises:

using uniform random selection to select the one or more inputs from the input corpus; or

selecting the one or more inputs from the input corpus using a heuristic of

p (c_{k}, t) = \frac{e^{t_{k} - t}}{\sum e^{t_{k} - t}},

36. The computing device of claim 32, wherein a difference between the one or more mutated inputs and the one or more inputs from which the one or more mutated inputs are descended is constrained to have a L_∞ norm.

37. The computing device of claim 32, wherein determining whether the one or more mutated inputs provide new coverage comprises determining whether the neural network has reached a new state that it has not previously reached; and

wherein determining whether the neural network has reached a new state that it has not previously reached comprises determining whether an activation vector is approximately close to a previous activation vector.

38. The computing device of claim 33, wherein determining whether the objective function is satisfied comprises determining whether the neural network has reached a desired state, wherein the desired state is an erroneous state for the neural network.

39. One or more non-transitory computer-readable media that store instructions that, when executed by one or more processors of a computing system, cause the computing system to perform operations, the operations comprising:

obtaining one or more inputs from an input corpus;

mutating the one or more inputs to generate one or more mutated inputs, wherein a difference between the one or more mutated inputs and the one or more inputs from which the one or more mutated inputs are descended is constrained to have a L_∞ norm;

providing the one or more mutated inputs to a neural network;

obtaining, as a result of the neural network processing the one or more mutated inputs, a set of metadata arrays that describe metadata associated with execution of the neural network to process the one or more mutated inputs;

determining, based at least in part on the set of metadata arrays, whether an objective function is satisfied; and

upon determining that the objective function is satisfied, adding the one or more mutated inputs to a list of test cases.

40. The one or more non-transitory computer-readable media of claim 39, wherein the operations further comprise:

obtaining, as a result of the neural network processing the one or more mutated inputs, a set of coverage arrays that describe whether one or more neurons of the neural network were activated during processing of the one or more mutated inputs by the neural network;

determining, based at least in part on the set of coverage arrays, whether the one or more mutated inputs provide new coverage; and

upon determining that the one or more mutated inputs provide new coverage, adding the one or more mutated inputs to the input corpus.