Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Symbolic Execution with Mixed Concrete-Symbolic Solving
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Symbolic Execution of Java Byte-code Corina Pãsãreanu Perot Systems/NASA Ames Research.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Symbolic (Java) PathFinder – Symbolic Execution of Java Byte-code Corina Pãsãreanu Carnegie Mellon University/NASA Ames Research.
Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
Java Pathfinder JPF Tutorial - Test Input Generation With Java Pathfinder.
Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem.
Test Input Generation for Java Containers using State Matching Willem Visser Corina Pasareanu and Radek Pelanek Automated Software Engineering Group NASA.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Symbolic Execution.
Model Checking Java Programs using Structural Heuristics
Integrating high-level constructs into programming languages Language extensions to make programming more productive Underspecified programs –give assertions,
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Symbolic Execution and Model Checking for Testing Corina Păsăreanu and Willem Visser Perot Systems/NASA Ames Research Center and SEVEN Networks.
Non-Termination of Affine Loops Kevin Durant, Corina Pasareanu, Willem Visser Stellenbosch University and NASA/CMU.
CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Concrete Model Checking with Abstract Matching and Refinement Corina Păsăreanu QSS, NASA Ames Research Center Radek Pelánek Masaryk University, Brno, Czech.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
Property-Guided Shape Analysis S.Itzhaky, T.Reps, M.Sagiv, A.Thakur and T.Weiss Slides by Tomer Weiss Submitted to TACAS 2014.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
24 September 2002© Willem Visser Program Model Checking Enabling Technology Abstraction void add(Object o) { buffer[head] = o; head = (head+1)%size;
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Spring 2016 Program Analysis and Verification
Over-Approximating Boolean Programs with Unbounded Thread Creation
Willem Visser Corina Pasareanu and Radek Pelanek
Automatic Test Generation SymCrete
Symbolic Execution and Test-input Generation
Abstraction, Verification & Refinement
Predicate Abstraction
Presentation transcript:

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames Research Center Willem Visser RIACS/USRA, NASA Ames Research Center

2 Introduction Goal Error detection in programs with complex input data structures –Unbounded state space Approaches Model checking with (predicate) abstraction, shape analysis Over-approximations of program behavior Preserve true results; reported errors may be spurious Our approach Symbolic execution and model checking (TACAS’03) Contribution State matching to limit the searched state space –Subsumption checking for symbolic states –Abstractions to further reduce the searched state space Under-approximations of program behavior Preserve errors of safety properties; explore only feasible behaviors

3 Symbolic Execution Analysis of programs with unspecified inputs –Execute a program on symbolic inputs Symbolic states represent sets of concrete states For each path, build a path condition –Condition on inputs – for the execution to follow that path –Check path condition satisfiability – explore only feasible paths Symbolic state –Symbolic values/expressions for variables –Path condition –Program counter

4 x = 1, y = 0 1 > 0 ? true x = = 1 y = 1 – 0 = 1 x = 1 – 1 = 0 0 > 1 ? false int x, y; if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert false; } Concrete Execution PathCode that swaps 2 integers Example – Explicit Execution

5 [PC:true]x = X,y = Y [PC:true] X > Y ? [PC:X>Y]y = X+Y–Y = X [PC:X>Y]x = X+Y–X = Y [PC:X>Y]Y>X ? int x, y; if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert false; } Code that swaps 2 integersSymbolic Execution Tree [PC:X≤Y]END[PC:X>Y]x= X+Y false true [PC:X>Y  Y≤X]END [PC:X>Y  Y>X]END falsetrue path condition Example – Symbolic Execution

6 Handles –Dynamically allocated data structures, arrays –Preconditions, concurrency Lazy initialization for arrays and structures Java PathFinder (JPF) model checker used –To generate and explore the symbolic execution tree Implementation via instrumentation –Programs instrumented to enable JPF to perform symbolic execution –Omega library used to check satisfiability of numeric path conditions – for linear integer constraints Generalized Symbolic Execution

Symbolic Execution with Lazy Initialization Code class Node { int elem; Node next; Node find(int v) { Node n = this; while (n != null) { if (n.elem > v) return n; n = n.next; } return null; } } V0V0 next V1V1 n null V0V0 next V1V1 n V2V2 true false PC: V 0 ≤ v  V 1 ≤ v PC: V 0 ≤ v  V 1 >v this END Execution tree is infinite! … = un-initialized Precondition: acyclic list! V0V0 next V1V1 n true false V0V0 next this this,n V0V0 next n this null PC: true PC: V 0 ≤ vPC: V 0 > v END Lazy initialization

8 State Matching Symbolic state –Represents a set of concrete states State matching –Subsumption checking between symbolic states Symbolic state S 1 is subsumed by symbolic state S 2 iff set of concrete states represented by S 1  set of concrete states represented by S 2 Model checking –Examine if a symbolic state is subsumed by previously stored symbolic state –Continue or backtrack Method handles –Un-initialized data structures (lists, trees), arrays –Numeric constraints

9 Symbolic State E1E1 E2E2 E3E3 E4E4 E 1 > E 2  E 2 > E 3  E 2 < E 4  E 1 > E 4 Heap ConfigurationNumeric Constraints left right

10 Subsumption for Symbolic States Two steps (same program counter): 1.Subsumption checking for heap configurations –Obtained through DFS traversal of “rooted” heap configurations Roots are program variables pointing to the heap –Unique labeling for “matched” nodes –Considers only the heap shape, ignores numeric data 2.Subsumption checking for numeric constraints –Heap subsumption is only a pre-requisite of state subsumption –Check logical implication between numeric constraints –Existential quantifier elimination to “normalize” the constraints Uses Omega library

11 Subsumption for Heap Configurations 1: 2: 3: 4:  left right root right left Unmatched! root left right  

12 Subsumption for Numeric Constraints E1E1 E2E2 E3E3 E4E4 E 1 > E 2  E 2 > E 3  E 2 ≤ E 4  E 1 > E 4 E1E1 E2E2 E3E3 E4E4 Stored state: New state:  Set of concrete states represented by stored state Set of concrete states represented by new state   E 1 > E 2  E 2 > E 3  E 2 < E 4  E 1 > E 4 1: 2: 4:3: 1: 2: 3:4:

13 Subsumption for Numeric Constraints E 1 :V 1 E 2 :V 4 E 3 :V 3 E 4 :V 5 V2V2 Valuation: E 1 = V 1  E 2 = V 4  E 3 = V 3  E 4 = V 5 PC: V 1 V 3  V 4 V 2 Existential Quantifier Elimination 1: 2: 3:4: V6V6 V7V7  V 1,V 2,V 3,V 4,V 5,V 6,V 7 : simplifies to E 1 > E 2  E 2 > E 3  E 2 E 4 E 1 = V 1  E 2 = V 4  E 3 = V 3  E 4 = V 5  PC

14 Abstract Subsumption Symbolic execution with subsumption checking –Not enough to ensure termination –An infinite number of symbolic states Our solution –Abstraction Store abstract versions of explored symbolic states Subsumption checking to determine if an abstract state is re-visited Decide if the search should continue or backtrack –Enables analysis of under-approximation of program behavior –Preserves errors to safety properties Automated support for two abstractions: –Shape abstraction for singly linked lists –Shape abstraction for arrays

15 Abstractions for Lists and Arrays Shape abstraction for singly linked lists –Summarize contiguous list elements not pointed to by program variables into summary nodes –Valuation of a summary node Union of valuations of summarized nodes –Subsumption checking between abstracted states Same algorithm as subsumption checking for symbolic states Treat summary node as an “ordinary” node Abstraction for arrays –Represent array as a singly linked list –Abstraction similar to shape abstraction for linked lists

16 Abstraction for Lists E 1 = V 0  (E 2 = V 1  E 2 = V 2 )  E 3 = V 3 PC: V 0 ≤ v  V 1 ≤ v  V 2 ≤ v V0V0 next V1V1 n V2V2 this V3V3 next V0V0 { V 1 n, V 2 } next this V3V3 next V0V0 V1V1 n V2V2 this V0V0 next V1V1 n V2V2 this  Symbolic states Abstracted states 2:3:1: 2:3: PC: V 0 ≤ v  V 1 ≤ v PC: V 0 ≤ v  V 1 ≤ v  V 2 ≤ v E 1 = V 0  E 2 = V 1  E 3 = V 2 PC: V 0 ≤ v  V 1 ≤ v Unmatched!

17 Experience Implementation –Subsumption checking –Shape abstractions for singly linked lists and arrays Error detection in Java programs –List partition: 10 step counterexample –Array partition: 30 step counterexample Analyzed corrected programs –Abstraction effective in limiting the state space

18 Related Work Under-approximation based abstraction for property falsification –Ball et al. [CAV’05] Our previous work –Choice free search [TACAS’01] –Concrete model checking with abstract matching and refinement [CAV’05] Model driven software verification –Use abstraction mappings during concrete model checking – Holzmann and Joshi [SPIN’04] Symbolic execution –[King’76], Symstra [TACAS’05] Shape analysis –TVLA, …

19 Conclusion and Future Work Symbolic execution with subsumption checking –Explores only feasible program behavior –Handles heap structures and arrays Abstractions for lists and arrays –Explore an under-approximation of feasible behavior –Complementary to over-approximation based abstraction Implementation –Uses Java PathFinder model checker –Applied for error detection in Java programs Future Work –Investigate other shape abstractions, combine with predicate abstraction –Test input generation, property verification (rather than refutation) –Automatic abstraction refinement, compositional analysis

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.