Presentation is loading. Please wait.

Presentation is loading. Please wait.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Published byFerdinand Underwood Modified over 9 years ago

Similar presentations

Presentation on theme: "A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore."— Presentation transcript:

1 A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore

2 The problem of program slicing Given a program P, and a statement c (the criterion), identify statements and conditionals in the program that are relevant to the variables that occur in c – A conditional is relevant if modifying the conditional could disturb the values of the variables in c from what’s expected (on any input) – A statement is relevant if modifying its rhs could disturb the values of the variables at c Intuitively, a slice is a projection of P that’s behaviorally equivalent to P wrt what’s observable at c Raghavan Komondoor, Precise slicing2

3 An example Raghavan Komondoor, Precise slicing3

4 Applications of slicing Software understanding tools Software maintenance tools – Clone detection – Merging back different variants of a program – Decomposition of monolithic programs into coherent functionalities (e.g., sum-product example) – Recovering independent threads from sequential program Compilers and verification tools – Improves scalability, by identifying portion of program that’s relevant to a property that needs to be checked Raghavan Komondoor, Precise slicing4

5 Control flow graph Raghavan Komondoor, Precise slicing5

6 Flow dependence relation Raghavan Komondoor, Precise slicing6 s1 s2 if s1 defines a variable v s2 uses v there is a control-flow path from s1 to s2 along which no other statement defines v

7 Raghavan Komondoor, Precise slicing7 Flow dependences

8 Control dependence relation s1 s2 if s1 is a conditional s2 is definitely reachable along one branch out of s1 there is a path along the other branch along which s2 is not reached Raghavan Komondoor, Precise slicing8

9 9 Flow + control dependences

10 Basic slicing technique 1.From P, construct flow dependence relation F and control dependence relation C 2.Obtain reflexive-transitive closure R of (F ⋃ C) 3.Slice = { s | in R }, where c is given criterion Raghavan Komondoor, Precise slicing10

11 Raghavan Komondoor, Precise slicing11 Illustration of slicing

12 Raghavan Komondoor, Precise slicing12 Illustration of slicing

13 Raghavan Komondoor, Precise slicing13 A more complex example

14 Raghavan Komondoor, Precise slicing14 Basic technique yields imprecise slice

15 Need to rule out infeasible paths [Hong et al., ‘95] achieve this by code duplication Take a set of predicates Q (on program variables) as input Make up to 2 |Q| copies of each statement, one for each combination of predicate evaluations Identify feasible paths in this “exploded” flow graph Then, apply usual slicing technique on this exploded graph Raghavan Komondoor, Precise slicing15

16 Raghavan Komondoor, Precise slicing16 Exploded flow graph

17 Adding edges in exploded flow graph Raghavan Komondoor, Precise slicing17 Edge (1) not present because in state ¬ p1 x < y cannot True Edge (2) not present for similar reason Edge (3) not present because: Program in state p1 remains in same state after executing “x = x – 1”

18 Loops Raghavan Komondoor, Precise slicing18

19 Loops Raghavan Komondoor, Precise slicing19

20 Precision is closely linked to given partitioning Raghavan Komondoor, Precise slicing20

21 Precision is closely linked to given partitioning  Raghavan Komondoor, Precise slicing21

22 Summary of Hong et al. Obtains more precise slices than standard slicing, by excluding certain infeasible paths Handles loops cleanly Precision is linked to given partitioning Q – Partitioning needs to be selected carefully, based on statements in program – In general, a bigger Q gives better precision (at the expense of slicing time) – Other work exists to infer suitable Q automatically from program by iterative refinement However, in the context of verification, not slicing Raghavan Komondoor, Precise slicing22

23 An approach based on symbolic execution [Jaffar et al., ‘12] Explodes control-flow graph by symbolically executing all possible paths in the program Does not require Q as input Basic idea – During execution, at each point Have a symbolic store, which tracks current values of variables as expressions on program’s initial parameters Have path constraint, which is a predicate on the initial parameters that needs to hold for path p to be feasible – If p is s1 sn, and sn sp and sn sq, split execution into two paths s1 sp and s1 sq. Raghavan Komondoor, Precise slicing23

24 Raghavan Komondoor, Precise slicing24 Illustration of symbolic execution

25 Raghavan Komondoor, Precise slicing25 Illustration of symbolic execution

26 Raghavan Komondoor, Precise slicing26 Symbolic paths ⟶ exploded flow graph

27 Raghavan Komondoor, Precise slicing27 Now, perform standard slicing

28 Raghavan Komondoor, Precise slicing28 Now, perform standard slicing

29 So what do we have … Fully automated. Does not need partitioning Q. Precise even on examples like the complex one seen earlier (involving x = x + w; y = y + w;) However, problem with loops Raghavan Komondoor, Precise slicing29

30 Raghavan Komondoor, Precise slicing30 The problem with loops

31 Raghavan Komondoor, Precise slicing31 The problem with loops

32 Raghavan Komondoor, Precise slicing32 The exploded flow graph

33 Raghavan Komondoor, Precise slicing33 Slicing

34 Raghavan Komondoor, Precise slicing34 Imprecise slicing 

35 Our approach [Komondoor ‘13] Objectives – Fully precise in loop-free fragments, without relying on user-provided partitioning – Use user-provided partitioning only when “crossing” loop iterations – Handle programs that access and manipulate linked data structures Raghavan Komondoor, Precise slicing35

36 We use PIM What is PIM? – A graph/term representation for C programs – An equational logic and rewrite system on terms Embodies the full concrete operational semantics of C Applications – Precise constrained slicing – Partial evaluation Raghavan Komondoor, Precise slicing36

37 Example PIM term x = 1; y = x + 2; if (x == 2) z = y; Raghavan Komondoor, Precise slicing37 Store cell sequential composition fragment addr @

38 Our notation Raghavan Komondoor, Precise slicing x = 1 y = x + 2 x @ 38

39 Slicing via term simplification in PIM Criterion @ @ @ @ Raghavan Komondoor, Precise slicing39

40 Summary of PIM’s approach 1.Convert the (program + criterion) into a store lookup 2.Rewrite/simplify the store lookup term 3.Identify subterms in the program on which simplified term is dependent 4.These terms constitute the slice Fully precise in loop-free fragments. No partitioning required as input. Raghavan Komondoor, Precise slicing40

41 Slicing a loop Criterion Raghavan Komondoor, Precise slicing41 PIM does not terminate while computing precise slice

42 Abstract lattice for given example  T (≤ 100) (≥ 100) (= 100) (≠ 100) Raghavan Komondoor, Precise slicing42 (Tracks only value of x)

43 Iteration 1 (x = 100) Criterion ⊨ @ ⊨ @ (= 100) (1) (2) (1) (2) Raghavan Komondoor, Precise slicing43 abstract weakest pre-condition

44 Iteration 2 @ (1) (2) (1) (2) ⊨ Raghavan Komondoor, Precise slicing44

45 Iteration 3 @ (2) ⊨ Raghavan Komondoor, Precise slicing45

46 Final slice Raghavan Komondoor, Precise slicing46

47 Our approach, at each iteration Use abstract predicates, of the form `s ⊨ l’, where s is a fragment and l is an element of a user-provided abstract lattice L Convert concrete guards in criteria to abstract guards at the beginning of each iteration Rewrite term using extended PIM rewrite rules Then, use dependences to obtain the slice Raghavan Komondoor, Precise slicing47

48 Ensuring termination Raghavan Komondoor, Precise slicing48

49 Example // x points to a singly-linked // list y = null; while (x.d != k) { t = y; y = x; x = x.next; y.next = t; } c b a d e f y x c b a d e f y x after iteration x Raghavan Komondoor, Precise slicing49 @

50 Another example Raghavan Komondoor, Precise slicing50 if (x % 2 == 1) z = z + 1; while (x < n) x = x + 2; if (x % 2 == 0) y = z + 2; y @

51 Summary of our approach Fully precise slicing in loop-free fragments Slicing of loops: Precision linked to user-provided lattice We address loops that traverse heap structures Support partial evaluation also Technical contribution – Integrate abstract interpretation with term rewriting – May be useful in other applications where term rewriting is used Raghavan Komondoor, Precise slicing51

Download ppt "A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Overview Structural Testing Introduction – General Concepts

Overview Structural Testing Introduction – General Concepts
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Data Flow Coverage. Reading assignment L. A. Clarke, A. Podgurski, D. J. Richardson and Steven J. Zeil, A Formal Evaluation of Data Flow Path Selection.

Data Flow Coverage. Reading assignment L. A. Clarke, A. Podgurski, D. J. Richardson and Steven J. Zeil, "A Formal Evaluation of Data Flow Path Selection.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
White Box Testing and Symbolic Execution Written by Michael Beder.

White Box Testing and Symbolic Execution Written by Michael Beder.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
White Box Testing and Symbolic Execution Written by Michael Beder.

White Box Testing and Symbolic Execution Written by Michael Beder.
White Box Testing and Symbolic Execution Written by Michael Beder.

White Box Testing and Symbolic Execution Written by Michael Beder.
Data Flow Analysis 4 15-411 Compiler Design Nov. 8, 2005.

Data Flow Analysis Compiler Design Nov. 8, 2005.
Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.

Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Software Systems Verification and Validation Laboratory Assignment 3

Software Systems Verification and Validation Laboratory Assignment 3
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Instructor Kostas Kontogiannis.

1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Instructor Kostas Kontogiannis.
2006/09/19AOAsia 21 Towards Locating a Functional Concern Based on a Program Slicing Technique Takashi Ishio 1,2, Ryusuke Niitani 2 and Katsuro Inoue 2.

2006/09/19AOAsia 21 Towards Locating a Functional Concern Based on a Program Slicing Technique Takashi Ishio 1,2, Ryusuke Niitani 2 and Katsuro Inoue 2.

Similar presentations

Ads by Google