Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Published byBrooks Riggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research."— Presentation transcript:

1 Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research

2 Satisfiability modulo theories (a   c) (b   c) (a  b  c) c = true b = true a = true (a   c) (b   c) (a  b  c) a  f(x-y) = 1 b  f(y-x) = 2 c  x = y c = false, b = true, a = true, x = 0, y = 1, f = [-1  1, 1  2, else  0]

3 Communicating theories f(x – y) = 1, f(y-x) = 2, x = y f(p) = q, f(r) = s, x = yp = x – y, q = 1, r = y – x, s = 2 x = y p = r q = s UNSAT

4 Applications Symbolic execution – SAGE – PEX Static checking of code contracts – Spec# – Dafny – VCC Security analysis – HAVOC Searching program behaviors – Poirot

5 Anatomy of an application The profile of each application determined by – Boolean structure – theories used – theory vs. propositional – deep vs. shallow – presence/absence of quantifiers – …

6 Applications Symbolic execution – SAGE – PEX Static checking of code contracts – Spec# – Dafny – VCC Security analysis – HAVOC Searching program behaviors – Poirot

7 *  BoogiePL Z3 Boogie VCGen C/.NET/Dafny Program BoogiePL program Verification condition VerifiedWarning Annotations SMT in program analysis

8 class C { int size; int[] data; void write(int i, int v) { if (i >= data.Length) { var t = new int[2*i]; copy(data, t); data = t; } data[i] = v; } static copy(int[] from, int[] to) { for (int i = 0; i < from.Length; i++) { to[i] = from[i]; } var size: [Ref]int; var data: [Ref]Ref; var Contents: [Ref][int]int function Length(Ref): int; proc write(this: Ref, i: int, v: int) { var t: Ref; if (i >= Length(data)) { call t := alloc(); assume Length(t) == 2*i; call copy(data[this], t); data[this] := t; } assert 0 <= i && i < Length(data[this]); Contents[data[this]][i] := v; } proc copy(from: Ref, to: Ref) { var i: int; i := 0; while (i < Length(from)) { assert 0 <= i && i < Length(from); assert 0 <= i && i < Length(to); Contents[to][i] := Contents[from][i]; i := i + 1; }

9 Modeling the heap Contents[data[this]][i] := v Contents[Select(data, this)][i] := v Contents[Select(data, this)] := Update(Contents[Select(data, this)], i, v) Contents := Update(Contents, Select(data, this), Update(Contents[Select(data, this)], i, v)) Theory of arrays: Select, Store for all f, i, v :: Select(Update(f, i, v), i) = v for all f, i, v, j :: i = j  Select(Update(f, i, v), j) = Select(f, j) for all f, g :: f = g  (exists i :: Select(f, i)  Select(g, i)) var Alloc: [Ref]bool; proc alloc() returns (x: int) { assume !Alloc[x]; Alloc[x] := true; }

10 Program correctness Floyd-Hoare triple {P} S {Q} P, Q : predicates/property S : a program From a state satisfying P, if S executes, – No assertion in S fails, and – Terminating executions end up in a state satisfying Q

11 Annotations Assertions over program state Can appear in – Assert – Assume – Requires – Ensures – Loop invariants Program state can be extended with ghost variables – State of a lock – Size of C buffers

12 Weakest liberal precondition wlp( assert E, Q ) = E  Q wlp( assume E, Q ) = E  Q wlp( S;T, Q ) = wlp(S, wlp(T, Q)) wlp( if E then S else T, Q ) = if E then wlp(S, Q) else wlp(T, Q) wlp( x := E, Q ) = Q[E/x] wlp( havoc x, Q ) =  x. Q

13 Desugaring loops – inv J while B do S end Replace loop with loop-free code: assert J; havoc modified(S); assume J; if (B) { S; assert J; assume false; } Check J at entry Check J is inductive

14 Desugaring procedure calls Each procedure verified separately Procedure calls replaced with their specifications procedure Foo(); requires pre; ensures post; modifies V; call Foo(); assert pre; havoc V; assume post; precondition postcondition set of variables possibly modified in Foo

15 Inferring annotations Problem statement – Given a set of procedures P1, …, Pn – A set of C of candidate annotations for each procedure – Returns a subset of the candidate annotations such that each procedure satisfies its annotations Houdini algorithm – Performs a greatest-fixed point starting from all annotations Remove annotations that are violated – Requires a quadratic (n * |C|) number of queries to a modular verifier

16 Limits of modular analysis Supplying invariants and contracts may be difficult for developers Other applications may be enabled by whole program analysis – Answering developer questions: how did my program get to this line of code? – Crash-dump analysis: reconstruct executions that lead to a particular failure

17 Reachability modulo theories Variables: X T 1 (X,X’)T 2 (X,X’) T 3 (X,X’)T 4 (X,X’) T 5 (X,X’)T 6 (X,X’) T i (X, X’) are transition predicates for transforming input state X to output state X’ assume satisfiability for T i (X, X’) is “efficiently” decidable Is there a feasible path from blue to orange node? Parameterized in two dimensions theories: Boolean, arithmetic, arrays, … control flow: loops, procedure calls, threads, … T 8 (X,X’)T 7 (X,X’)

18 Complexity of (sequential) reachability-modulo-theories Undecidable in general – as soon as unbounded executions are possible Decidable for hierarchical programs – PSPACE-hard (with only Boolean variables) – NEXPTIME-hard (with uninterpreted functions) – in NEXPTIME (if satisfiability-modulo-theories in NP)

19 Corral: A solver for reachability-modulo-theories Solves queries up to a finite recursion depth – reduces to hierarchical programs Builds on top of Z3 solver for satisfiability- modulo-theories Design goals – exploit efficient goal-directed search in Z3 – use abstractions to speed-up search – avoid the exponential cost of static inlining

20 Corral architecture for sequential programs Input Program Abstract Program Variable Abstraction Stratified Inlining Z3 True counter- example ? Unreachable Reachable Hierarchical Refinement Yes No Z3

21 Corral architecture for sequential programs Input Program Abstract Program Variable Abstraction Stratified Inlining Z3 True counter- example ? Unreachable Reachable Hierarchical Refinement Yes No Z3

22 Corral architecture for sequential programs Input Program Abstract Program Variable Abstraction Stratified Inlining Z3 True counter- example ? Unreachable Reachable Hierarchical Refinement Yes No Z3

23 Handling concurrency Input Program Abstract Program Variable Abstraction Stratified Inlining Z3 True counter- example ? Unreachable Reachable Hierarchical Refinement Yes No Z3 Sequentialization

24 What is sequentialization? Given a concurrent program P, construct a sequential program Q such that Q  P Drop each occurrence of async-call Convert each occurrence of async-call to call Make Q as large as possible

25 Parameterized sequentialization Given a concurrent program P, construct a family of programs Q i such that – Q 0  Q 1  Q 2  …  P –  i Q i = P Even better if interesting behaviors of P manifest in Q i for low values of i

26 Context-bounding Captures a notion of interesting executions in concurrent programs Under-approximation parameterized by K ≥ 0 – executions in which each thread gets at most K contexts to execute – as K  , we get all behaviors

27 Context-bounding is sequentializable For any concurrent program P and K ≥ 0, there is a sequential program Q K that captures all executions of P up to context bound K Simple source-to-source transformation – linear in |P| and K – each global variable is copied K times

28 Challenges

29 Programming SMT solvers Little support for decomposition – Floyd-Hoare is the only decomposition rule Little support for abstraction – SMT solvers are a black box – difficult to influence search How do we calculate program abstractions using an SMT solver?

30 Mutable dynamically-allocated memory Select-Update theory is expensive Select-Update theory is not expressive enough – to represent heap shapes – to encode frame conditions

31 Quantifiers Appear due to – partial axiomatizations – frame conditions – assertions Undecidable in general A few decidability results – based on finite instantiations – brittle

Download ppt "Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research."

Similar presentations

Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.

Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.

Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
Synthesis, Analysis, and Verification Lecture 13 Dynamic Allocation.

Synthesis, Analysis, and Verification Lecture 13 Dynamic Allocation.
The Dafny program verifier

The Dafny program verifier
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France.
50.530: Software Engineering

50.530: Software Engineering
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Similar presentations

Ads by Google