Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Execution with Mixed Concrete-Symbolic Solving Corina Pasareanu 1, Neha Rungta 2 and Willem Visser 3 1 Carnegie Mellon, 2 SGT Inc./NASA Ames 3.

Similar presentations


Presentation on theme: "Symbolic Execution with Mixed Concrete-Symbolic Solving Corina Pasareanu 1, Neha Rungta 2 and Willem Visser 3 1 Carnegie Mellon, 2 SGT Inc./NASA Ames 3."— Presentation transcript:

1 Symbolic Execution with Mixed Concrete-Symbolic Solving Corina Pasareanu 1, Neha Rungta 2 and Willem Visser 3 1 Carnegie Mellon, 2 SGT Inc./NASA Ames 3 University of Stellenbosch

2 Symbolic Execution Program analysis technique King [Comm. ACM 1976], Clarke [IEEE TSE 1976] Executes a program on symbolic inputs Maintains path condition (PC) – checked for satisfiablity with decision procedures Received renewed interest in recent years due to Algorithmic advances Increased availability of computational power and decision procedures Applications: Test-case generation, error detection, … Tools, many open-source UIUC: CUTE, jCUTE, Stanford: EXE, KLEE, UC Berkeley: CREST, BitBlaze Microsoft’s Pex, SAGE, YOGI, PREfix NASA’s Symbolic (Java) Pathfinder IBM’s Apollo, Parasoft’s testing tools etc.

3 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } S0, S1, S3, S4 = statements we wish to cover Symbolic Execution

4 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } Assume hash is native or can not be handled by decision procedure S0, S1, S3, S4 = statements we wish to cover Symbolic Execution Can not handle it! Solution: Mixed concrete-symbolic solving

5 Mixed Concrete-Symbolic Solving EXE results: stmt “S3” not covered DART results: path “S0;S4” not covered Mixed concrete-symbolic solving: all paths covered Example Predicted path “S0;S4” != path taken “S1;S4” //hash(x)=10*x

6 Mixed Concrete-Symbolic Solving Use un-interpreted functions for external library calls Split path condition PC into: simplePC – solvable constraints complexPC – non-linear constraints with un-interpreted functions Solve simplePC Use obtained solutions to simplify complexPC Check the result again for satisfiability

7 Mixed Concrete-Symbolic Solving Assume hash(x) = 10 *x: PC: X>3 ∧ Y>10 ∧ Y=hash(X) simplePC complexPC Solve simplePC Use solution X=4 to compute h(4)=40 Simplify complexPC: Y=40 Solve again: simplified PC: X>3 ∧ Y>10 ∧ Y=40 Satisfiable!

8 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } int hash(x) { if (0<=x<=10) return x*10; else return 0; } Symbolic Execution PC: true PC: X>0 PC: X<=0 PC: X>0 & Y=hash(X) S0 PC: X>3 & Y>10 & Y=hash(X) S3 PC: X>0 & X<=3 & Y=hash(X) S4 … Solve X>0 hash(1)=10 Check X>0 & Y=10 Solve X>3 & Y>10 hash(4)=40 Check X>3 & Y>10 & Y=40

9 Potential for Unsoundness test (int x, int y) { if (x>=0 && x>y && y == x*x) S0; else S1; } Not Reachable PC: X>=0 & X > Y & Y = X*X S0 X=0, Y=-1Y=0*0=0 X>=0 & X>YY = X*X simplePCcomplexPC Must add constraints on the solutions back into simplified PC DART/Concolic will diverge instead X>=0 & X>Y & Y=0 & X=0 Not SAT! Is SAT which implies S0 is Reachable! X>=0 & X>Y & Y=0 simplified PC

10 Directed Automated Random Testing (DART) Godefroid, Klarlund and Sen 2005 or Concolic Execution Collects path conditions along concrete executions Negates constraints on the PC after a run and Executes again with the newly found solutions Can overcome the weaknesses of classic symbolic execution

11 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } test(1,0) X>0 & Y!=10 & X>3 DART/Concolic Execution X > 0 X > 0 & Y != 10 S1 X>0 & Y!=10 & X<=3 S4 test(4,0) X > 0 X > 0 & Y != 40 S1 X>0 & Y!=40 & X>3 & Y<= 10 S4

12 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } X>0 & Y!=40 & X>3 & Y>10X>0 & Y=40 & X>3 & Y>10 DART/Concolic Execution test(4,11) X > 0 X > 0 & Y != 40 S1 X>0 & Y!=40 & X>3 & Y>10 S3 test(4,40) X > 0 X > 0 & Y = 40 S0 X>0 & Y=40 & X>3 & Y>10 S3

13 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (x > 3 && y > 10) S3; else S4; } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } X>0 & Y=40 & X 10 Divergence! Aimed to get S0;S4 But reached S1;S4 DART/Concolic Execution test(1,40) X > 0 X > 0 & Y != 10 S1 X>0 & Y!=10 & X<=3 S4

14 Mixed Concrete-Symbolic Solving vs DART Both incomplete Incomparable in power (see paper) Mixed concrete-symbolic solving can handle only “pure”, side-effect free functions DART does not have the limitation; will likely diverge

15 Addressing Incompleteness: 3 Heuristics Incremental Solving User Annotations Random Solving

16 void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (y > 10) S3; else S4; } int hash(x) { if (0<=x<=10) return x*10; else return 0; } Incremental Solving PC: true PC: X>0 & Y>10 & Y=hash(X) S3 PC: X>0 PC: X<=0 PC: X>0 & Y=hash(X) S0 PC: X>0 & X<=3 & Y=hash(X) S4 … Solve X>0 hash(1)=10 Check X>0 & Y=10 Solve X>0 & Y>10 Solution: X=1 hash(1)=10 Check X>0 & Y>10 & Y=10 Not SAT! Solution: X=2 hash(2)=20 Check X>0 & Y>10 & Y=20 Get another solution: SAT!

17 @Partition({“x>3”,”x<=3”}) void test(int x, int y) { if (x > 0) { if (y == hash(x)) S0; else S1; if (y > 10) S3; else S4; } int hash(x) { if (0<=x<=10) return x*10; else return 0; } User Annotations PC: true PC: X>0 & Y>10 & Y=hash(X) S3 PC: X>0 PC: X<=0 PC: X>0 & Y=hash(X) S0 PC: X>0 & X<=3 & Y=hash(X) S4 … Solve X>0 hash(1)=10 Check X>0 & Y=10 Solve X>0 & Y>10 & X>3 Hash(4)=40 Check X>0 & Y>10 & Y=40 SAT! Add user partitions one at a time

18 Random Solving Pick solutions randomly from the solution space Current implementation only picks randomly if the solution space is completely unconstrained

19 Implementation Java PathFinder Symbolic PathFinder SPF Mixed Concrete- Symbolic Solving Model Checker for Java Open Source Symbolic Execution Extension for JPF (jpf-symbc) Custom Listeners on SPF Experience TSAFE (Tactical Separation Assisted Flight Environment) Apollo Lunar Pilot Example PC: 37 constraints in simplePC and 6 in complexPC

20 Related Work Tools that perform mixture of concrete and symbolic execution EXE, DART, CUTE, PEX, SAGE, … “Higher order test generation” – P. Godefroid [PLDI’11] Uses combination of validity checking and un-interpreted functions Generates tests from validity proofs Implementation challenge

21 Conclusions and Future Work Mixed concrete-symbolic solving to address problems with classic symbolic execution Handling native libraries Incomplete decision procedures Open source implementation for Java Future Work More experiments More heuristics Handle data structures executed outside symbolic execution Use JPF’s serialization

22 Thank you!


Download ppt "Symbolic Execution with Mixed Concrete-Symbolic Solving Corina Pasareanu 1, Neha Rungta 2 and Willem Visser 3 1 Carnegie Mellon, 2 SGT Inc./NASA Ames 3."

Similar presentations


Ads by Google