Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

Slides:



Advertisements
Similar presentations
CPSC 388 – Compiler Design and Construction
Advertisements

DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
6/9/2015© Hal Perkins & UW CSEU-1 CSE P 501 – Compilers SSA Hal Perkins Winter 2008.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Program analysis Mooly Sagiv html://
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
Program analysis Mooly Sagiv html://
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Overview of program analysis Mooly Sagiv html://
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Overview of program analysis Mooly Sagiv html://
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
Agenda Introduction Overview of White-box testing Basis path testing
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
“Software” Esterel Execution (work in progress) Dumitru POTOP-BUTUCARU Ecole des Mines de Paris
CS 363 Comparative Programming Languages Semantics.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.
Declarative Programming in Java using JSetL E. PanegaiG. Rossi Dipartimento di Matematica Università di Parma Roma, Giugno 2005 Convegno Italiano.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke Presented by: Xia Cheng.
Shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000.
Daniel jackson static analysis symposium ·santa barbara · june 2k logic,model s& analysis.
Verification of Synchronization in SpecC Description with the Use of Difference Decision Diagrams Thanyapat Sakunkonchak Masahiro Fujita Department of.
Automated Debugging with Error Invariants TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Chanseok Oh.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
A Review of Software Testing - P. David Coward
SS 2017 Software Verification Bounded Model Checking, Outlook
Weakest Precondition of Unstructured Programs
Graph-Based Operational Semantics
Lifting Propositional Interpolants to the Word-Level
Program Slicing Baishakhi Ray University of Virginia
CUTE: A Concolic Unit Testing Engine for C
Predicate Abstraction
CSE P 501 – Compilers SSA Hal Perkins Autumn /31/2019
Model Checking and Its Applications
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Presentation transcript:

finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000

2 overview goal finding bugs in code efficiently supports specs declarative specs relating different program points structural properties pre-defined partial code technique fully automatic errors missed, but no spurious errors

3 example: linked list delete class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; }..} // spec: no cell with value v after no c : p.*next’ | c.val’ = v

4 checking the spec user provides number of loop iterations number of objects in each class (scope) tool finds an execution of delete that contradicts the spec

5 counterexample to the spec Domains List = {L0} Val = {V0} Sets E01 = traversed E12 = (null) E13 = traversed E34 = traversed … p = L0 p1 = L0 prev = L0 prev1 = (null) prev2 = (null) prev’ = (null) v = V0 Relations next = {} next1 = {} val = {L0 -> V0} next’ = {} next1’ = {} val’ = {L0 -> V0} Skolem Constants c = L0

6 counterexample to the spec pre: v-- valnext p post: v-- val’next’ p class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; }..} // spec: no cell with value v after no c : p.*next’ | c.val’ = v

7 more specs //no cells added p.*next’ in p.*next //cells with value v removed p.*next’ = p.*next – {c | c.val = v} //no cells mutated all c | c.val = c.val’ //no cycles introduced no c : p.*next | c in c.+next  no c : p.*next’ | c in c.+next’

8 method code compiler # iters. code constraint all bounded executions in alloy (first order logic)

9 method code spec scope compiler  alloy analyzer #iters. code constraint ¬ final constraint translator boolean formula SAT solver counter

10 compiler steps encode state encode set of executions encoding set of executions construct computation graph from code label variables translate edges into alloy (encoding data flow) derive constraint from graph (encoding control flow)

11 modelling state for delete class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; } … } domain List, Val state p: List? v: Val? prev: List? next: List  List? val: List  Val?

12 computation graph unrolled control flow graph node ~ program point edge ~ predicate & elementary statement single entry, single exit no cycles loops unrolled a ; while (p) s ; b  a ; if (p) s ; assert !p ; b

13 computation graph for delete p = p.next prev = null p != null p == null p.val != v p.val == v prev = pprev.next= p.next return p == null class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; }..}

14 variable labeling example x := a ; x := x + b  x1 = a  x2 = x1 + b nodes hold labeling of each variable labels distinct on any given path same label for two connected nodes if no variable update minimize labels

15 variable labeling for delete prev = null p != null p == null p.val != v p.val == v prev = p prev.next = p.next p = p.next return p == null p, prev, next, val,v prev1 prev2 p1p1 next1

16 encoding data & control flow data translate edge label to alloy formula control for each path conjoin formulas from edges combined paths disjoin path formulas

17 encoding data & control for delete 0 p1 = p.next no prev some p no p p.val != v p.val == v prev1 = p prev1.next1 = p.next return no p no prev some p no p p.val != v p.val == v prev1 = p prev1.next1 = p.next p1 = p.next return no p2      

18 experiments benchmark suite of procedures from (Sagiv et al) destructive update of linked lists specs: null dereferences creation of cycles user-defined all anomalies found in scope of 1 times less than 1 sec for scope 3

19 times for hardest check merge: result.*next = p.*next + q.*next s s s m23s scope iters bits time

20 future work issues scalability (big procs, long chains) variety of datatypes approach partial analysis abstraction use specs instead of procedure calls

21 related work testing symbolic execution (King), PREfix (Pincus) model checking bounded model checking (Biere et al) Bandera project (Kansas State, Hawaii, UMass) Java Pathfinder (NASA Ames) SLAM project (Microsoft Research) ESC (Detlefs et al) parametric shape analysis (Sagiv et al)

22 comparison user does not provide inputs (testing) all possible inputs considered (PSA, testing) handles huge #executions (testing, sym exec) addresses structure (MC, ESC, PREfix) handles declarative specs (MC, testing, sym exec, PSA) no spurious errors (PSA) no numbers (testing, sym exec, Prefix) no proof (PSA, ESC)

23 control data spec finding bugs with a constraint solver

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.