Download presentation

Presentation is loading. Please wait.

Published byLina Fraser Modified about 1 year ago

1
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

2
Outline Boolean Programs and Bebop What? Why? Results Demo Semantics of Boolean Programs Technical details of algorithm Evaluation Related Work

3
Boolean Programs: What Model for representing abstractions of imperative programs in C, C#, Java, etc. Features: Boolean variables Control-flow: sequencing, conditionals, looping, GOTOs Procedures Call-by-value parameter passing recursion Control non-determinism

4
Boolean programsBoolean programs: Why bool x,y; [1] while (true) { [2] if(x == y) { [3]y = !x; } else{ [4]x = !x; [5]y = !y; } [6]if (?) break; } [7] if(x == y) [8]assert (false); Representation of program abstractions, a la Cousots Each boolean variable represents a predicate: (i < j) (*p==i) && ( (int) p == j) (p T), where T is recursive data type [Graf-Saidi]

5
Bebop - Results Reachability in boolean programs reduced to context-free language reachability Symbolic interprocedural dataflow analysis Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm Complexity of algorithm is O(E 2 n ) E = size of interprocedural control flow graph n = max. number of variables in the scope of any label

6
Bebop - Results Admits control flow + variables Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.] Analyzes procedures separately exploits procedural abstraction + locality of variable scopes Uses hybrid representation Explicit representation of control flow graph, as in a compiler Implicit representation of reachable states via BDDs Generates hierarchical trace

7
Bebop Demo!

8
Outline Boolean Programs and Bebop Semantics of Boolean Programs “stackless” semantics using context-free grammar Technical details of algorithm Evaluation Related Work

9
Stackless Semantics State = p = program counter = valuation to variables in scope at p No stack! (B): finite alphabet over boolean program B Call (with return to p), a valuation to Locals(p) Return to p, a valuation to Locals(p)

10
State transition - -> = (x) = (x), x in Locals(c) = ’(x) = (x), x in Locals(c) ’(g) = (g), g a global

11
Trace Semantics Context-free grammar L(B) constrains allowable traces M -> M M -> M M M -> 0 - 1 -> 1 - 2 -> … m-1 - m -> m is a trajectory of B iff i - i+1 -> i+1 is a state transition, for all i 1 2 … m L(B)

12
Outline Boolean Programs and Bebop Semantics of Boolean Programs Technical details of reachability algorithm Binary Decision Diagrams (BDDs) Path edges Summary edges Example Preliminary Evaluation SLAM Project

13
Binary Decision Diagrams Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors) F(x,y,z) = (x=y) x y z 11 z 00 y z 00 z 11

14
Hash Consing + Variable Elimination x yy z 0 z 1 x yy 0 1 x y z 11 z 00 y z 00 z 11

15
Path Edges PE(p), iff Exists initialized trajectory ending in, where e = entry(Proc(p)) Exists trajectory from to PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p) Can be represented with a BDD!

16
Representing Path Edges with BDDs Example PE(p) for boolean variables x,y and z: PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y) BDDs also used to represent transfer functions for statements Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

17
decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=0^a1=a1’=0^a2=a2’=1g=0^g’=1^a1=a1’=0^a2=a2’=1 Join(S,T) = { | S, T }

18
Summary Edges = Lift(, Pr) 1 (x) = 2 (x), x in Locals(c) Locals don’t change 1 (g) = d (g) and r (g) = 2 (g), g global Propagation of global state c: Pr() d: Proc Pr() e r <d,r><d,r> <1,2><1,2>

19
decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end g=0^g’=1^a1=a1’=0^a2=a2’=1 g=0^g’=1^a1=a1’=1^a2=a2’=0g=0^g’=1^h=h’=1

20
decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=0^g’=1^h=h’=1 g’=h’=1 g=g’=a1=a1’=a2=a2’=1

21
decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 |a1=a1’=0^a2=a2’=1 g=g’=1^a1=a1’=0^a2=a2’=1

22
decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end g'=0^h'=1 |g'=1^h'=0 g=g’=1^a1=a1’=0^a2=a2’=1g=g’=1^a1=a1’=1^a2=a2’=0g=g’=1^h=h’=0 g'=1^h'=0 g=g’=1^a1=a1’=1^a2=a2’=0

23
Worklist Algorithm while PE(v) has changed, for some v Determine if any new path edges can be generated New path edge comes from Existing path edge + transfer function Existing path edge + summary edge (transfer function for procedure calls) New summary edges generated from path edges that reach exit vertex

24
Generating Error Traces Partition reachable states into “rings” A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R Hierarchical generation of error trace Skip over or descend into called procedures

25
Outline Boolean Programs and Bebop Semantics of Boolean Programs Technical details of algorithm Preliminary Evaluation Linear behavior if # vars in scope remains constant Self application of Bebop Related Work

26
decl g; void main() begin level1(); if(!g) then reach: skip; else skip; fi end void level () begin decl a,b,c; if (g) then while(!a|!b|!c) do if (!a) then a := 1; elsif (!b) then a,b := 0,1; elsif (!c) then a,b,c := 0,0,1; else skip; fi od else ; fi g := !g; end

27

28
Application: Analysis Validation Live variable analysis (LVA) A variable x is live at s if there is a path from s to a use of x (with no intervening def of x) Used to optimize bebop Quantify out variables as soon as they become dead How to check correctness of LVA? Analysis validation Create a boolean program to check results of LVA Model check boolean program (w/out LVA)

29
Analysis Validation Output of LVA: { (s,x) | x is dead at s } Boolean program Two variables per original program var x: x_dead (initially 0) x_defined (initially 0) For each fact (s,x): x_dead, x_defined := 1, 0; For each def of x: x_defined := 1; For each use of x if (x_dead && !x_defined) LVAError(); Query: is LVAError reachable?

30
Results Found subtle error in implementation of LVA Was able to show colleague that there was another error, in his code Analysis validation now part of regression test suite

31
Related Work Pushdown Automata (PDA) decidability results [Hopcroft-Ullman] Model checking PDAs [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon] Model checking Hierarchical State Machines [Alur, Grosu] Interprocedural dataflow analysis [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]

32
Related Work Reps-Horwitz-Sagiv (RHS) algorithm Handles IFDS problems Interprocedural Finite domain D Distributive dataflow functions (MOP=MFP) Subsets of D Dataflow as CFL reachability over “exploded graph” Our results RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity Reformulated algorithm is easily lifted to powersets of D using BDDs Arbitrary dataflow functions Path-sensitive

33
Summary Bebop: a model checker for boolean programs Based on interprocedural dataflow analysis using BDDs Exploits procedural abstraction Admits many traditional compiler optimizations Hierarchical trace generation + DHTML user interface Release at end of year SLAM project Iteratively refine boolean program models of C programs Use path simulation to discover relevant predicates (simcl) Automated predicate abstraction (c2bp)

34
Software Productivity Tools Microsoft Research

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google