Co-PatcheR: Collaborative Software Patching with Component-specific Small Reasoning Models

Thank the reviewer for the constructive and positive comments. Please see below for our responses.

1. Definition of “Resolved”

Sorry for the confusion. We follow the standard SWE-bench program setup for issue resolving: Given only the issue description of a target issue and the entire codebase as the input, the patching tools should output a patch diff as an answer automatically.

Generally, the design of patching tools will contain three main modules to handle such tasks: (1) localize the problematic code regions, (2) generate a patch to fix the issue, and (3) validate the patch through our own validation module before submitting the final repair (given that test cases for the issues are not available).

"resolved" means that, after applying our generated patches to the original codebase using Unix's patch program, SWE-bench will execute the existing unit and system tests (including the new golden test for the current issue) associated with that repository. A patch is considered "resolved" if it applies successfully and all existing tests pass. These test cases are collected by the SWE-bench and are not available to any patching tools during the issue resolving process. We acknowledge that even though the patched version passes all the tests, it is still possible that the patch introduces new bugs. We believe it is an interesting future direction to conduct more comprehensive evaluations of patch correctness and security beyond standard unit tests (e.g., using fuzzing tools).

2. Roles of the Validation Model

Sorry for the confusion. The main purpose of our PoC testing is to synthesize test cases for validating whether a candidate patch truly fixes the bug described in the issue. Both assertion tests and non-assertion tests serve this purpose, but in different styles.

The assertion tests independently determine whether the bug is triggered, whereas non-assertion tests only record the output of the PoC and require an LLM to judge the output after execution.

• Assertion tests follow the common unit test style, which would provide an explicit oracle to the target issue—for example, assert sort([2,1]) == [1,2]. When such a test fails, we know that the bug is highly likely to still exist. However, the downside is that writing a correct oracle requires the model to infer an exact post-condition for the issue, which can be difficult..
• Non-assertion tests relax this requirement by performing a general PoC script. These are similar to differential testing, where we compare execution outputs before and after applying the patch to determine fix effectiveness. They are generated to a PoC according to the issue description, being expected to reproduce the same observable symptoms. In the downstream workflow, we would ask LLM to make a judgment according to the original issue description and the output of non-assertion tests. And another benefit from non-assertion tests rather than assertion tests is that non-assertion tests can capture the new bug introduced by the candidate patch by observing and analyzing actual output behavior.

So we keep both kinds of tests for two reasons:

• Coverage – Some bugs have well-defined expected values or exceptions that can be explicitly tested with assertions, while others manifest as subtle behavioral changes or output variations that are better captured through execution observation rather than rigid assertion checks. Using both styles ensures we can validate a wider range of issues.
• Regression – A patch might solve the original failure but introduce a new one. Because non-assertion tests observe the output of the program, they can detect these new bugs even though the old assertion still passes. The whole patching system can utilize this information for further patch refinement.

3. Localization module explanation

• Factoring out the localization step: We agree with the reviewer that using actual localization from patch commits could help isolate generation performance. However, it's important to note that even commit-based localization cannot guarantee completeness, as there is no true "golden localization" in this task setting. For effective code repair, models need sufficient contextual information beyond just the exact modified lines - including surrounding code, dependencies, and related functions. Additionally, the same bug can often be fixed through multiple valid approaches at different locations, making even commit-based localization an approximation rather than a definitive ground truth.
• Controlled evaluation: In our experiments, we do use the same localization results across different generation models for comparison(in section §4.2.2, we use the same localization results from GPT-4o as the input of generation evaluation ), which effectively factors out localization variance and allows us to isolate the generation capabilities of different approaches.
• Tangling commits concern: We agree with the reviewer that commits containing irrelevant modifications are due to mixed bug-fixing and refactoring activities. However, our work addresses this issue during training data collection. We address this by selecting training datasets that have already been filtered for issues primarily focused on bug fixes with corresponding unit tests, thereby minimizing the impact of irrelevant code modifications from tangling commits. This curation process ensures that our training data better reflects targeted bug-fixing scenarios rather than complex, multi-purpose commits.
• Non-LLM localization methods: We acknowledge the suggestion to include non-LLM localization methods in our ablation study. However, our localization input only contains issue descriptions and repository code, where the issue descriptions often lack perfect proof-of-concept examples or precise error locations. This requires semantic understanding to map natural language problem descriptions to relevant code sections, making it difficult to effectively compare with traditional non-LLM localization methods that typically rely on explicit error traces, stack traces, or other structured debugging information.

4. Inference efficiency metrics

In order to show the inference metric of our model and system, we have added an extra experiment to record the inference efficiency metrics, as shown in the following table. We log four kinds of metrics for an average of every issue: end-to-end wall-clock time for our testing setup in §4.1, tokens generated across all model calls (completion), latency for average one-shot model inference, and peak GPU memory. Experiments run on a pair of NVIDIA L40S (48 GB) cards with vllm deployment framework. The throughput can be further improved through parallel processing of multiple instances.

5. Explanation of the efficiency of a small training dataset

Sorry for the issue with the figure reference, will correct it. Regarding the relatively small dataset size, there are several key reasons why our approach requires significantly fewer training samples compared to methods like SWE-RL:

• Knowledge Distillation: Our model training employs supervised fine-tuning (SFT) through knowledge distillation from a teacher model, which enables efficient learning of the teacher's response structure and patterns. In contrast, RL-based methods like SWE-RL require extensive exploration and trial-and-error processes across many samples to optimize their policies, making them inherently data-hungry.
• Reasoning-Based Training Data: Our training approach focuses on reasoning data that teaches the model to analyze problems systematically before generating solutions. This reasoning-first methodology allows the model to quickly internalize the teacher's logical reasoning patterns, leading to more efficient knowledge transfer compared to methods that learn from raw input-output pairs without explicit reasoning steps.
• Targeted Learning Objective: Unlike other methods that need to explore vast action spaces, our approach has a more focused learning objective - replicating the teacher model's structured reasoning process for patch generation. This specificity reduces the data requirements significantly.

6. Training method

All three models in our paper were trained using knowledge distillation from teacher models through supervised fine-tuning (SFT). The SFT training optimizes the standard cross-entropy loss between the model's predicted token probabilities and the ground truth tokens from the teacher-generated responses.

7. Typos and missing appendix and code

Sorry for the typos, will correct them (e.g., “figure 4” should be “section 4”). We submitted the appendix in the supplementary material. We will also make our code, data, and models public.

Thank you for the feedback. We would also like to quickly mention that most methods require dynamic testing, which should have a similar computational time as ours. We will add this acknowledgment to the paper. Thanks!

We thank the reviewer for the positive and constructive comments. Please see below for our responses.

1. Clarification of unit testing

Thank you for pointing this out. Yes, our work focuses exclusively on unit-test–level validation, where each generated test exercises a single function or script in isolation. We will make sure to clarify this in the next revision to avoid confusion with other test levels (integration, acceptance, etc.).

2. Difference between assertion tests and non-assertion tests

Sorry for the confusion. The main purpose of our PoC testing is to synthesize test cases for validating whether a candidate patch truly fixes the bug described in the issue. Both assertion tests and non-assertion tests serve this purpose, but in different styles.

The assertion tests independently determine whether the bug is triggered, whereas non-assertion tests only record the output of the PoC and require an LLM to judge the output after execution.

• Assertion tests follow the common unit test style, which would provide an explicit oracle to the target issue—for example, assert sort([2,1]) == [1,2]. When such a test fails, we know that the bug is highly likely to still exist. However, the downside is that writing a correct oracle requires the model to infer an exact post-condition for the issue, which can be difficult..
• Non-assertion tests relax this requirement by performing a general PoC script. These are similar to differential testing, where we compare execution outputs before and after applying the patch to determine fix effectiveness. They are generated to a PoC according to the issue description, being expected to reproduce the same observable symptoms. In the downstream workflow, we would ask LLM to make a judgment according to the original issue description and the output of non-assertion tests. And another benefit from non-assertion tests rather than assertion tests is that non-assertion tests can capture the new bug introduced by the candidate patch by observing and analyzing actual output behavior.

So we keep both kinds of tests for two reasons:

• Coverage – Some bugs have well-defined expected values or exceptions that can be explicitly tested with assertions, while others manifest as subtle behavioral changes or output variations that are better captured through execution observation rather than rigid assertion checks. Using both styles ensures we can validate a wider range of issues.
• Regression – A patch might solve the original failure but introduce a new one. Because non-assertion tests observe the output of the program, they can detect these new bugs even though the old assertion still passes. The whole patching system can utilize this information for further patch refinement.

3. The combination of localization and patch generation

There are two reasons why we combine the localization and generation in one model:

• Share Core Abilities: Both subtasks require fundamental capabilities in understanding the issue description to identify what needs to be fixed, and reasoning over the current codebase to determine the appropriate intervention points and methods.
• Task Interdependence: A better understanding of how to fix a bug helps clarify what context needs to be retrieved for localization, while precise localization provides essential context for accurate patch generation. Localization applies these abilities to locate faulty lines; generation applies the same context to edit them. Because the tasks are sequential, training them together allows the model to reuse intermediate reasoning and to learn a smoother “find-then-fix” workflow without growing the parameter count.

We further experimented with two separate models—one fine-tuned for localization, the other for generation. Testing the results of pass@20(whether a correct patch is in the 20 generated candidates) on the SWE-bench Verified split as we did in ablation studies, to isolate the framework factor. The scores were 55.40% for the split setup and 56.20% for the joint model. The joint model performed at least as well, sometimes better.

4. Inaccurate phrasing

Thank you for spotting the typo on page 4, line 138. We will remove the “vulnerable” description because we are not only focusing on security problems, and we will also clarify PoC as ‘proof-of-concept’ to avoid ambiguity. And we will update the correct citation name in §3.2.1.

Thank the reviewer for the constructive comments. Please see below for our responses.

1. Separation model between localization and patch generation

There are two reasons why we combine the localization and generation in one model:

• Share Core Abilities: Both subtasks require fundamental capabilities in understanding the issue description to identify what needs to be fixed, and reasoning over the current codebase to determine the appropriate intervention points and methods.
• Task Interdependence: A better understanding of how to fix a bug helps clarify what context needs to be retrieved for localization, while precise localization provides essential context for accurate patch generation. Localization applies these abilities to locate faulty lines; generation applies the same context to edit them. Because the tasks are sequential, training them together allows the model to reuse intermediate reasoning and to learn a smoother “find-then-fix” workflow without growing the parameter count.

We further experimented with two separate models—one fine-tuned for localization, the other for generation. Testing the results of pass@20(whether a correct patch is in the 20 generated candidates) on the SWE-bench Verified split as we did in ablation studies, to isolate the framework factor. The scores were 55.40% for the split setup and 56.20% for the joint model. The joint model performed at least as well, sometimes better.

2. Single model for all the tasks

We also tried to explore the solution of training a single model for all the tasks in the patching process. A single 14 B model was fine-tuned jointly on localization, patch generation, and validation, and we re-evaluated it under the same best@20 on SWE-bench-Verified with the same hyperparameters in ablation experiments(5 root causes from localization, 20 patches from generation, and 4 PoCs from validation). We can see that the

Although the All-in-One model matches Co-PatcheR on the two upstream metrics— localization(file-level and line-level), Pass@20 resolved rate for patch generation and its best@20 resolved rate are worse than Co-PatcheR.

This gap appears in the validation stage. For the Localization & Generation task, the model shares common capabilities as demonstrated in part ##1, and benefits from consistent, stable behavior. However, the validation module, especially the test generation part, requires the ability to produce diverse and comprehensive tests to thoroughly explore edge cases and corner scenarios. When both objectives are packed into a single set of model weights, it creates a fundamental tension: maintaining consistency for localization/generation pushes the model toward conservative behavior, which conflicts with the need for creative and diverse test generation in validation. Consequently, the model produces overly narrow or insufficient test suites that fail to adequately validate patches. This means that potentially correct patches—which would pass validation if tested more comprehensively—are incorrectly rejected due to incomplete testing coverage, ultimately reducing the overall bug resolution rate.

3. Assertions and non-assertions testing

Sorry for the confusion. The main purpose of our PoC testing is to synthesize test cases for validating whether a candidate patch truly fixes the bug described in the issue. Both assertion tests and non-assertion tests serve this purpose, but in different styles.

The assertion tests independently determine whether the bug is triggered, whereas non-assertion tests only record the output of the PoC and require an LLM to judge the output after execution.

• Assertion tests follow the common unit test style, which would provide an explicit oracle to the target issue—for example, assert sort([2,1]) == [1,2]. When such a test fails, we know that the bug is highly likely to still exist. However, the downside is that writing a correct oracle requires the model to infer an exact post-condition for the issue, which can be difficult..
• Non-assertion tests relax this requirement by performing a general PoC script. These are similar to differential testing, where we compare execution outputs before and after applying the patch to determine fix effectiveness. They are generated to a PoC according to the issue description, being expected to reproduce the same observable symptoms. In the downstream workflow, we would ask LLM to make a judgment according to the original issue description and the output of non-assertion tests. And another benefit from non-assertion tests rather than assertion tests is that non-assertion tests can capture the new bug introduced by the candidate patch by observing and analyzing actual output behavior.

So we keep both kinds of tests for two reasons:

• Coverage – Some bugs have well-defined expected values or exceptions that can be explicitly tested with assertions, while others manifest as subtle behavioral changes or output variations that are better captured through execution observation rather than rigid assertion checks. Using both styles ensures we can validate a wider range of issues.
• Regression – A patch might solve the original failure but introduce a new one. Because non-assertion tests observe the output of the program, they can detect these new bugs even though the old assertion still passes. The whole patching system can utilize this information for further patch refinement.

4. Multiple test usage in the validation module

Sorry for the confusion. We rank patches based on dynamic testing results (number of passed PoC and functionality tests) to identify the highest-scoring candidates. When multiple patches achieve the same highest score, we apply majority voting to select the final patch. Will clarify this in the paper.

As for the reason why we need 4 PoC tests, without the golden test case about the issue, we need to synthesize related test cases to validate whether a candidate patch truly fixes the bug described in the issue. Given that we can not make sure one-shot test generation can exactly describe the issue, we would like to increase the testing cases to have better coverage and robustness as mentioned above. And we also have an ablation study in §Appendix B.3 to show why we use 4 PoC tests in our system.

5. Citations of PoC test generation classification

We acknowledge that existing methods do not explicitly categorize and emphasize the distinction between assertion and non-assertion tests. However, through our analysis of actual project implementations, we observed that Agentless[1] generates assertion-based reproduction tests for validation, while PatchPilot[2] produces non-assertion tests and employs LLMs for test result evaluation. We will make sure to clarify this in the paper.

6. Suggestions for Table 1

Thanks for the valuable suggestion. We will update Table 1 with more information regarding the differences between our method and the baselines (e.g., distillation vs. RL).

[1] Agentless: Demystifying LLM-based Software Engineering Agents [2] PatchPilot: A Cost-Efficient Software Engineering Agent with Early Attempts on Formal Verification

We thank the reviewer for the positive and constructive comments. Please see below for our responses.

1. Cross-framework evaluation experiments

Following the reviewer’s suggestion, we integrate the Co-PatcheR models into the agentless framework. We measure best@60 on the SWE-bench-Verified benchmark as a balance of performance and efficiency. All other hyperparameters are kept identical to SWE-RL to enable an apple-to-apple comparison.

Even with the changing of the testing framework, Co-PatcheR keeps a 4.20% advantage over the 70B SWE-RL model final results, showing the strengths of Co-PatcheR models.

We also observe a 0.80% drop from Co-PatcheR+PatchPilot (46.00%) to Co-PatcheR + Agentless. This is because the models are trained based on the agentic data generated using the PatchPilot framework, which are naturally more suitable for use in PatchPilot. Besides, the validation strategy in PatchPilot and Agentless is different: for example, we utilize two kinds of PoCs(assertion and non-assertion) in PatchPilot, which also causes some performance discrepancy.

Also, we would like to clarify that SWE-RL has not released its weights, so we cannot re-run it in any agent framework. That’s why we can not do SWE-RL + PatchPilot testing, but only compare with the results they mentioned in their paper.

2. Inference efficiency metrics

Following the reviewer’s suggestion, we comprehensively evaluated the efficiency of Co-PatheR, as shown in the following table. We log four kinds of metrics for an average of every issue: end-to-end wall-clock time for one instance under our testing setup in the paper(5 root causes from the localization model and 4PoCs from the validation model), tokens generated across all model calls (completion), latency for average one-shot model inference, and peak GPU memory. These metrics provide the efficiency baseline for Co-PatcheR on two NVIDIA L40S (48 GB) cards with a VLLM deployment framework. The throughput can be further improved through parallel processing of multiple instances.