Presentation is loading. Please wait.

Presentation is loading. Please wait.

Swerve: Semester in Review. Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Swerve: Semester in Review. Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution."— Presentation transcript:

1 Swerve: Semester in Review

2 Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution  Cousot: the Galois connection

3 Pointer Analysis (in 2001)

4 P.A. Terminology  Context-sensitivity: do we take calling context into account –Doing so leads to very precise but very non- polynomial algorithms  Flow-sensitivity: sensitive to control flow –Equality = unification-based = Steensgaard  Almost linear, but not very precise –Subset = inclusion-based = Anderson  Polynomial but more precise –Sensitive analyses even more expensive

5 P.A.: Flow-sensitivity

6

7

8 P.A.: Problem Formulation  Phase one: find constraints in the code –Depends on sensitivities (context, flow) –Examine stores, loads, etc.  Phase two: solve system of constraints for the complete points-to relation –Explicit: Steensgaard using union-find –Implicit: Anderson-style using BDDs

9 Pointer Analysis Example h 1 : v 1 = new Object(); h 2 : v 2 = new Object(); v 1.f = v 2 ; v 1.f = v 2 ; v 3 = v 1.f; v 3 = v 1.f; Input Relations vPointsTo(v 1,h 1 ) vPointsTo(v 2,h 2 ) Store(v 1,f,v 2 ) Load(v 1,f,v 3 ) Output Relations hPointsTo(h 1,f,h 2 ) vPointsTo(v 3,h 2 ) v1v1 h1h1 v2v2 h2h2 f v3v3

10 Zhu: Symbolic P.A.  Points-to relation can be huge, but BDDs are great at implicitly representing relations

11 Berndl et al: Symbolic P.A.  Subset-based formulation using BDDs  Variable ordering experiments –Sets of heap objects (“pointed to”) tend to be large and regular: putting them together at the end of the ordering helps –Interleaving the bits for sets of variables (“pointers”) helps a little –In general, important to partition the bits of the different sets in the relations

12 Whaley & Lam: Datalog, bddbddb  All these symbolic pointer analyses are devoting a lot of implementation time to get the BDD part correct and fast  Datalog: a declarative language for expressing (possibly recursive) relations  bddbddb: a tool to convert Datalog operations (join, project, rename, recursion) into BDD operations  Points-to analyses can now be described much more concisely in Datalog

13 hPointsTo(h 1, f, h 2 ) :- Store(v 1, f, v 2 ), vPointsTo(v 1, h 1 ), vPointsTo(v 2, h 2 ). v1v1 h1h1 v2v2 h2h2 f Inference Rule in Datalog v 1.f = v 2 ; Stores:

14 Whaley & Lam: With Context  Context sensitive analysis by cloning methods and doing a context insensitive analysis on the new call graph  Can use Datalog to express constraints necessary to determine the call graph  Cloned call graph is exponentially bigger, but clever encoding lets BDDs handle it well

15 CBMC: Prototype Tool ANSI-C Model VHDL /Verilog Product convert + *  = + *  = Parsing and type checking BV Logic (Tree) + *  = BV Logic Decision Problem  Equivalence reduced to bit vector logic decision problem  Tool requires decision procedure for large bit vector problems  BV problems are HUGE – directly passed to Chaff in CNF CNF Chaff

16 Example

17 Explaining Counterexamples  Counterexamples provided by model checkers are often difficult to understand and locate within the code  Previous work: find a concrete execution “close to” the counterexample by some distance metric  This work: find an abstract execution— provides more meaningful explanations

18 Distance Metric  Execution = (state, action) sequence –State = (control location, predicate)  Metric: compare two executions a and b –Don’t just compare a i to b i since small changes in control flow can yield “misalignment” –Distance is defined as the number of changes (in predicates and actions) to convert a to b

19 Symbolic Execution

20

21 Quasi-symbolic simulation  Symbolic simulation externally  scalar values internally –simulation run requires constant memory.  Key ideas –Don’t compute exact value unless necessary.  many don’t cares in large designs. –Trade time for memory.  Multiple runs to generate exact values.  Reliability of directed testing with efficiency closer to that of symbolic methods

22 Don’t care logic Basic Algorithm & & & & X a a X b b X c c Symbolic variable X -a X a a 0 Obeys law of excluded middle! X Conservative approximation X X X “traditional” X value 0 Don’t care variables

23 Decision Procedure X ? a=0 a=1 Variable selection heuristic: pick relevant variable by propagating from inputs. & & O X a a X b b X X X 0 0 0 X b b 0 1 0 X b b 0 ? 0 Test is Unsatisfiable!

24 BDDs with Approximate Values  Generic Approximate BDD apply algorithm. Approx_Apply(F,G) find top variable V compute L=left(F,G), R=right(F,G) if node(V,L,R) exists, return it else if (want_exact(V,L,R)) create node (V,L,R) return node else /* approximate */ return X

25 Classification Algorithm  Simulator’s classification –Care –Don’t Care  Algorithm –Initially, all variables are Don’t Care. –Simulate using sub-domain values only. –Re-classify 1 variable as Care. –Repeat until sufficient variables classified.

26 Review  What we’ve done: –Symbolic pointer analysis –Symbolic simulations and executions –Model checking  C programs  Abstract explanations  Where do we go from here?

Download ppt "Swerve: Semester in Review. Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Chapter 4 Computation Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 4 Computation Bjarne Stroustrup
1 Title Page Implicit and Explicit Reachable State Space Exploration Of Esterel Logical Circuits Advisor :

1 Title Page Implicit and Explicit Reachable State Space Exploration Of Esterel Logical Circuits Advisor :
Part IV: Memory Management

Part IV: Memory Management
Lecture 5.

Lecture 5.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.

CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
INTRODUCTION TO PROGRAMMING

INTRODUCTION TO PROGRAMMING
Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.

Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.
Best-First Search: Agendas

Best-First Search: Agendas
Faculty of Computer Science LCPC 2007 Using ZBDDs in Points-to Analysis Stephen Curial Jose Nelson Amaral Department of Computing Science University of.

Faculty of Computer Science LCPC 2007 Using ZBDDs in Points-to Analysis Stephen Curial Jose Nelson Amaral Department of Computing Science University of.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

Similar presentations

Ads by Google