Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR-2000-14 Presented by.

Slides:



Advertisements
Similar presentations
A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advertisements

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Abstraction of Source Code (from Bandera lectures and talks)
1 Turing Machines and Equivalent Models Section 13.2 The Church-Turing Thesis.
Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Reasoning About Code; Hoare Logic, continued
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
Partial correctness © Marcelo d’Amorim 2010.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
CS 355 – Programming Languages
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
CSE Winter 2008 Introduction to Program Verification symbolic execution continued.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Concepts of Programming Languages 1 Describing Syntax and Semantics Brahim Hnich Högskola I Gävle
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Axiomatic Semantics Dr. M Al-Mulhem ICS
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Describing Syntax and Semantics
Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.
Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Switching functions The postulates and sets of Boolean logic are presented in generic terms without the elements of K being specified In EE we need to.
DECIDABILITY OF PRESBURGER ARITHMETIC USING FINITE AUTOMATA Presented by : Shubha Jain Reference : Paper by Alexandre Boudet and Hubert Comon.
1 Programming Languages (CS 550) Lecture 9 Summary Introduction to Formal Semantics Jeremy R. Johnson TexPoint fonts used in EMF. Read the TexPoint manual.
CS6133 Software Specification and Verification
Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)
CS 363 Comparative Programming Languages Semantics.
Parameterized Unit Tests By Nikolai Tillmann and Wolfram Schulte Proc. of ESEC/FSE 2005 Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
LDK R Logics for Data and Knowledge Representation PL of Classes.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
Logical Agents Chapter 7. Outline Knowledge-based agents Logic in general Propositional (Boolean) logic Equivalence, validity, satisfiability.
CS6133 Software Specification and Verification
Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.
Principle of Programming Lanugages 3: Compilation of statements Statements in C Assertion Hoare logic Department of Information Science and Engineering.
1 CS161 Introduction to Computer Science Topic #6.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
Zach Tatlock / Winter 2016 CSE 331 Software Design and Implementation Lecture 2 Formal Reasoning.
Semantics(1). 2 Symantec(1)  To provide an authoritative definition of the meaning of all language constructs for: 1.Programmers 2.Compiler writers 3.Standards.
Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
Formal methods: Lecture
Reasoning About Code.
Declarative Computation Model Kernel language semantics (Non-)Suspendable statements (VRH ) Carlos Varela RPI October 11, 2007 Adapted with.
Over-Approximating Boolean Programs with Unbounded Thread Creation
MA/CSSE 474 More Math Review Theory of Computation
Formal Methods in software development
Program correctness Axiomatic semantics
Program Verification with Hoare Logic
Predicate Abstraction
Presentation transcript:

Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AA A A A A

Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 2/22 Introduction Constructing Boolean programs Checking feasibility Conclusion

The choice of a model for software is a fundamental issue in model checking of software The followings are key points of a good model – A representation R of the model is analogous to the finite state machine(FSM), and has efficient algorithms to model check R – The model checking algorithms on R reports the shortest trace to an error – Programming languages such as C, C++, Java have translations into R Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 3/22

Boolean programs is a good representation for software model checking Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 4/22 Program PBoolean program B of P numUnits: int; level: int; void getUnit(){ [1] canEnter: bool := F; [2] if (numUnits = 0){ [3] if (level > 10){ [4] newUnit(); [5] numUnits := 1; [6] canEnter := T; } } else [7] canEnter := T; [8] if (canEnter) [9] if (numUnits = 0) [10] assert(F); else [11] gotUnit(); } nU0: bool; void getUnit(){ [1] cE: bool := F; [2] if (nU0){ [3] if(?){ [4] skip; [5] nU0 := F; [6] cE := T; } } else [7] cE := T; [8] if (cE) [9] if (nU0) [10] skip; else [11] skip; All variables in Boolean programs have Boolean type Each Boolean variable in B corresponds to an Boolean expression in P P and B have the same control structure

The X programming language is a simple imperative language with procedures, assignments, if, while and asserts The type of a variable in the X language ranges over integers, finite enumerations and three-valued type – From now on, Boolean type extends to three-valued logic Kleene’s three-valued interpretation of Æ, Ç and : Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 5/22 Æ truefalse? true false? ?? ? Ç truefalse? true falsetruefalse? ?true?? : false true ??

Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 6/22 Overview of SLAM process Constructing Boolean program Model checking Eliminating infeasible path p Feasible? Program P Spec φ Infeasible path p φ false + counterexample φ true Today’s focus: Constructing Boolean program and feasibility check Boolean program B Error trace p

Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 7/22 Introduction Constructing Boolean programs Checking feasibility Conclusion

Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 8/22 For simplicity, we assume that all programs are in X- normal form An X program P is in X-normal form if all the followings hold – Every assert statement in P is followed by a skip statement – All Boolean expressions in if and while statements of P are ? – All assignment statements in P assign to a single variable X programX-normal form if(e) {A} else {B} if(?) { assert(e);skip;A} else { assert(!e);skip;B } while(e){S}while(?) { assert(e);skip;S } assert(!e);skip;

Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 9/22 B ( P, E ) is a Boolean program of P with respect to E – P is a X program in X-normal form Let E = { e 1, e 2, , e n } be a set of Boolean expressions over variables in P and constants in X Let V B = { b 1, b 2, , b n } be a set of Boolean variables in B ( P, E ) – Let E ( b i ) denote the corresponding Boolean expression e i Each statement s in P is transformed to a corresponding statement in B ( P, E ) except for asserts – An assert statement is transformed to two statements in B ( P, E )

Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 10/22 Translation tables into B ( P, E ) I ( s, e ) denotes the truth value for the Boolean variable b corresponding to e, after executing statement s F ( e ) denotes the weakest disjunction of minterms over V B s.t. the corresponding expression of F ( e ) implies e Statement(s) in PTranslation in B (P,E) [i] if(?) [i] while(?) [i] x := e[i] b 1, , b n := I (x:=e, e 1 ), , I (x:=e, e n ) [i] assert(e) [j] skip [i] assert(!( F (!e)) [j] b 1, , b n := I (assert(e), e 1 ), , I (assert(e), e n ) [i] skip

Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 11/22 Then, how can we find the result of I ( s, e ), the truth value of e after execution of s? – The answer is the weakest precondition! WP ( x := e, f ) = f [ x à e ] WP (assert( e ), f ) = e ) f Let F ( e ) denote the largest disjunction of minterms over V B s.t. E ( F ( e )) ) e – Minterm is a logical expression consisting of only the conjunction and complement operator – Intuitively, E ( F ( e )) is the weakest expression over E that implies e E ( F ( WP ( s, e ))) is the weakest precondition over E – If E ( F ( WP ( s, e ))) is true, then after executing s, e becomes true – If E ( F ( WP ( s,! e ))) is true, then after executing s, e becomes false

Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 12/22 Example E = {( x =1), ( x =2), ( x · 3)} and V B = { b 1, b 2, b 3 } – E ( b 1 ) = ( x =1), E ( b 2 ) = ( x =2), E ( b 3 ) = ( x · 3) The statement s is x := x +1 e = (x=1)e = (x=2)e = (x · 3) WP(x:=x+1,e)x = 0x = 1x · 2 F (WP(x:=x+1,e)Falseb1b1 b1 Ç b2b1 Ç b2 E ( F (WP(x:=x+1,e)))Falsex = 1x = 1 Ç x = 2 WP(x:=x+1,!e)x  0x  1x ¸ 3 F (WP(x:=x+1,!e)b 1 Ç b 2 Ç !b 3 !b 1 Ç b 2 Ç !b 3 !b3!b3 E ( F (WP(x:=x+1,!e)))x=1 Ç x=2 Ç x > 3x  1 Ç x=2 Ç x > 3x > 3

Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 13/22 There is a difference between assert( F ( e )) and assert(! F (! e )) – F ( e ) ) e ) ! F (! e ) Example E = {( x<y ), ( y<z )} and V B = { b 1, b 2 } – E ( b 1 ) = ( x<y ), E ( b 2 ) = ( y<z ) – e = ( x < z ) E ( F (e))e E (! F (!e)) E ( F (!e))!e E (! F (e)) Expression over Ex<y Æ y<zx<zx<y Ç y<zx ¸ y Æ y ¸ zx ¸ zx ¸ y Ç y ¸ z (x,yz) = (1,2,3)True False (x,y,z) = (1,3,2)FalseTrue False True (x,y,z) = (1,3,0)False TrueFalseTrue (x,y,z) = (3,2,1)False True

Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 14/22 Introduction Constructing Boolean programs Checking feasibility Conclusion

Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 15/22 Feasibility checking checks whether a given error trace ¼ in B ( P, E ) is a trace p in P – By using the modified strongest postcondition The modified strongest postcondition uses a context instead of a expression – instead of SP ( f, x := e ) A context is a triple – is the current valuation to variables in p and called store. – ¦ is a set called the history which represents the past valuations to variables in p – © is a set of Boolean expressions called conditions which represents the constraints introduced by assert statements

Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 16/22 Let V ( p ) be the set of variables appeared in p Let Exp denote the set of expressions over £ ( p ) and the constants in X – £ ( p ) = { µ x, p | x 2 V ( p )} is a set of symbolic constants in a one-to-one correspondence with the variables of V ( p ) A context is a triple formally defined as – is a partial function V ( p ) ! Exp – ¦ µ V ( p ) £ Exp – © is a set of Boolean expressions from Exp Example p ¦© assert(b>0) µ b,p > 0 b := b+1 µ b,p > 0

Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 17/22 The strongest postcondition SP maps a context and a statement to a new context – Given a store and a set of variables X µ V ( p ), let undef (, X ) = { | x 2 X, not defined} – Updates the current valuation of x and stores old value in the history ¦ – Updates the condition © only Initial context is p is feasible iff all conditions Æ c 2 © c is satisfiable

Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 18/22 Example This trace is infeasible because ( µ b,p >0) ) (2 µ b,p  ( µ b,p -1)) p ¦© assert(b>0) µ b,p >0 c := b+b, µ b,p >0 a := b,, µ b,p >0 a := a-1,, µ b,p >0 assert(a<b),, µ b,p >0, µ b,p -1 < µ b,p assert(c=a),, µ b,p >0, µ b,p -1 < µ b,p, 2 µ b,p = ( µ b,p -1)

Eliminating infeasible paths Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 19/22 To eliminate infeasible paths in a Boolean program, we need to refine the Boolean program Let C ( ) denote the Boolean expression( x = e ) and extend to a set of pairs Then, E = C ( ) [ C ( ¦ ) [ © is sufficient set of conditions to make p feasible in B ( P, E )

Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 20/22 Introduction Constructing Boolean programs Checking feasibility Conclusion

Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 21/22 A boolean program is a good representation of software model checking The transformation to Boolean program uses the weakest precondition Symbolic path simulator using the strongest postcondition checks the feasibility of a given trace

Reference Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 22/22 Boolean Programs: A Model and Process For Software Analysis by Thomas Ball and Sriram K. Rajamani in Microsoft Technical Report, MSR-TR

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.