Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

Published byClement Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000."— Presentation transcript:

1 finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000

2 2 overview goal finding bugs in code efficiently supports specs declarative specs relating different program points structural properties pre-defined partial code technique fully automatic errors missed, but no spurious errors

3 3 example: linked list delete class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; }..} // spec: no cell with value v after no c : p.*next’ | c.val’ = v

4 4 checking the spec user provides number of loop iterations number of objects in each class (scope) tool finds an execution of delete that contradicts the spec

5 5 counterexample to the spec Domains List = {L0} Val = {V0} Sets E01 = traversed E12 = (null) E13 = traversed E34 = traversed … p = L0 p1 = L0 prev = L0 prev1 = (null) prev2 = (null) prev’ = (null) v = V0 Relations next = {} next1 = {} val = {L0 -> V0} next’ = {} next1’ = {} val’ = {L0 -> V0} Skolem Constants c = L0

6 6 counterexample to the spec pre: v-- valnext p post: v-- val’next’ p class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; }..} // spec: no cell with value v after no c : p.*next’ | c.val’ = v

7 7 more specs //no cells added p.*next’ in p.*next //cells with value v removed p.*next’ = p.*next – {c | c.val = v} //no cells mutated all c | c.val = c.val’ //no cycles introduced no c : p.*next | c in c.+next  no c : p.*next’ | c in c.+next’

8 8 method code compiler # iters. code constraint all bounded executions in alloy (first order logic)

9 9 method code spec scope compiler  alloy analyzer #iters. code constraint ¬ final constraint translator boolean formula SAT solver counter

10 10 compiler steps encode state encode set of executions encoding set of executions construct computation graph from code label variables translate edges into alloy (encoding data flow) derive constraint from graph (encoding control flow)

11 11 modelling state for delete class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; } … } domain List, Val state p: List? v: Val? prev: List? next: List  List? val: List  Val?

12 12 computation graph unrolled control flow graph node ~ program point edge ~ predicate & elementary statement single entry, single exit no cycles loops unrolled a ; while (p) s ; b  a ; if (p) s ; assert !p ; b

13 13 computation graph for delete p = p.next 5 2 0 1 3 4 6 7 8 prev = null p != null p == null p.val != v p.val == v prev = pprev.next= p.next return p == null class List {List next; Val val; void static delete (List p, Val v){ List prev = null; while (p != null) if (p.val == v) { prev.next = p.next; return;} else { prev = p; p = p.next; }..}

14 14 variable labeling example x := a ; x := x + b  x1 = a  x2 = x1 + b nodes hold labeling of each variable labels distinct on any given path same label for two connected nodes if no variable update minimize labels

15 15 variable labeling for delete 5 2 0 1 3 4 6 7 8 prev = null p != null p == null p.val != v p.val == v prev = p prev.next = p.next p = p.next return p == null p, prev, next, val,v prev1 prev2 p1p1 next1

16 16 encoding data & control flow data translate edge label to alloy formula control for each path conjoin formulas from edges combined paths disjoin path formulas

17 17 encoding data & control for delete 0 p1 = p.next 0 5 2 1 3 4 6 7 8 no prev some p no p p.val != v p.val == v prev1 = p prev1.next1 = p.next return no p2 5 2 0 1 3 4 6 7 8 no prev some p no p p.val != v p.val == v prev1 = p prev1.next1 = p.next p1 = p.next return no p2      

18 18 experiments benchmark suite of procedures from (Sagiv et al) destructive update of linked lists specs: null dereferences creation of cycles user-defined all anomalies found in scope of 1 times less than 1 sec for scope 3

19 19 times for hardest check merge: result.*next = p.*next + q.*next 111030s 221332s 3316312s 441936m23s scope iters bits time

20 20 future work issues scalability (big procs, long chains) variety of datatypes approach partial analysis abstraction use specs instead of procedure calls

21 21 related work testing symbolic execution (King), PREfix (Pincus) model checking bounded model checking (Biere et al) Bandera project (Kansas State, Hawaii, UMass) Java Pathfinder (NASA Ames) SLAM project (Microsoft Research) ESC (Detlefs et al) parametric shape analysis (Sagiv et al)

22 22 comparison user does not provide inputs (testing) all possible inputs considered (PSA, testing) handles huge #executions (testing, sym exec) addresses structure (MC, ESC, PREfix) handles declarative specs (MC, testing, sym exec, PSA) no spurious errors (PSA) no numbers (testing, sym exec, Prefix) no proof (PSA, ESC)

23 23 control data spec finding bugs with a constraint solver

Download ppt "Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000."

Similar presentations

CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].

DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
6/9/2015© 2002-08 Hal Perkins & UW CSEU-1 CSE P 501 – Compilers SSA Hal Perkins Winter 2008.

6/9/2015© Hal Perkins & UW CSEU-1 CSE P 501 – Compilers SSA Hal Perkins Winter 2008.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.

Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Similar presentations

Ads by Google