Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Published byVirginia Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames."— Presentation transcript:

1 Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames Research Center Willem Visser RIACS/USRA, NASA Ames Research Center

2 2 Introduction Goal Error detection in programs with complex input data structures –Unbounded state space Approaches Model checking with (predicate) abstraction, shape analysis Over-approximations of program behavior Preserve true results; reported errors may be spurious Our approach Symbolic execution and model checking (TACAS’03) Contribution State matching to limit the searched state space –Subsumption checking for symbolic states –Abstractions to further reduce the searched state space Under-approximations of program behavior Preserve errors of safety properties; explore only feasible behaviors

3 3 Symbolic Execution Analysis of programs with unspecified inputs –Execute a program on symbolic inputs Symbolic states represent sets of concrete states For each path, build a path condition –Condition on inputs – for the execution to follow that path –Check path condition satisfiability – explore only feasible paths Symbolic state –Symbolic values/expressions for variables –Path condition –Program counter

4 4 x = 1, y = 0 1 > 0 ? true x = 1 + 0 = 1 y = 1 – 0 = 1 x = 1 – 1 = 0 0 > 1 ? false int x, y; if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert false; } Concrete Execution PathCode that swaps 2 integers Example – Explicit Execution

5 5 [PC:true]x = X,y = Y [PC:true] X > Y ? [PC:X>Y]y = X+Y–Y = X [PC:X>Y]x = X+Y–X = Y [PC:X>Y]Y>X ? int x, y; if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert false; } Code that swaps 2 integersSymbolic Execution Tree [PC:X≤Y]END[PC:X>Y]x= X+Y false true [PC:X>Y  Y≤X]END [PC:X>Y  Y>X]END falsetrue path condition Example – Symbolic Execution

6 6 Handles –Dynamically allocated data structures, arrays –Preconditions, concurrency Lazy initialization for arrays and structures Java PathFinder (JPF) model checker used –To generate and explore the symbolic execution tree Implementation via instrumentation –Programs instrumented to enable JPF to perform symbolic execution –Omega library used to check satisfiability of numeric path conditions – for linear integer constraints Generalized Symbolic Execution

7 Symbolic Execution with Lazy Initialization Code class Node { int elem; Node next; Node find(int v) { Node n = this; while (n != null) { if (n.elem > v) return n; n = n.next; } return null; } } V0V0 next V1V1 n null V0V0 next V1V1 n V2V2 true false PC: V 0 ≤ v  V 1 ≤ v PC: V 0 ≤ v  V 1 >v this END Execution tree is infinite! … = un-initialized Precondition: acyclic list! V0V0 next V1V1 n true false V0V0 next this this,n V0V0 next n this null PC: true PC: V 0 ≤ vPC: V 0 > v END Lazy initialization

8 8 State Matching Symbolic state –Represents a set of concrete states State matching –Subsumption checking between symbolic states Symbolic state S 1 is subsumed by symbolic state S 2 iff set of concrete states represented by S 1  set of concrete states represented by S 2 Model checking –Examine if a symbolic state is subsumed by previously stored symbolic state –Continue or backtrack Method handles –Un-initialized data structures (lists, trees), arrays –Numeric constraints

9 9 Symbolic State E1E1 E2E2 E3E3 E4E4 E 1 > E 2  E 2 > E 3  E 2 < E 4  E 1 > E 4 Heap ConfigurationNumeric Constraints left right

10 10 Subsumption for Symbolic States Two steps (same program counter): 1.Subsumption checking for heap configurations –Obtained through DFS traversal of “rooted” heap configurations Roots are program variables pointing to the heap –Unique labeling for “matched” nodes –Considers only the heap shape, ignores numeric data 2.Subsumption checking for numeric constraints –Heap subsumption is only a pre-requisite of state subsumption –Check logical implication between numeric constraints –Existential quantifier elimination to “normalize” the constraints Uses Omega library

11 11 Subsumption for Heap Configurations 1: 2: 3: 4:  left right root right left Unmatched! root left right  

12 12 Subsumption for Numeric Constraints E1E1 E2E2 E3E3 E4E4 E 1 > E 2  E 2 > E 3  E 2 ≤ E 4  E 1 > E 4 E1E1 E2E2 E3E3 E4E4 Stored state: New state:  Set of concrete states represented by stored state Set of concrete states represented by new state   E 1 > E 2  E 2 > E 3  E 2 < E 4  E 1 > E 4 1: 2: 4:3: 1: 2: 3:4:

13 13 Subsumption for Numeric Constraints E 1 :V 1 E 2 :V 4 E 3 :V 3 E 4 :V 5 V2V2 Valuation: E 1 = V 1  E 2 = V 4  E 3 = V 3  E 4 = V 5 PC: V 1 V 3  V 4 V 2 Existential Quantifier Elimination 1: 2: 3:4: V6V6 V7V7  V 1,V 2,V 3,V 4,V 5,V 6,V 7 : simplifies to E 1 > E 2  E 2 > E 3  E 2 E 4 E 1 = V 1  E 2 = V 4  E 3 = V 3  E 4 = V 5  PC

14 14 Abstract Subsumption Symbolic execution with subsumption checking –Not enough to ensure termination –An infinite number of symbolic states Our solution –Abstraction Store abstract versions of explored symbolic states Subsumption checking to determine if an abstract state is re-visited Decide if the search should continue or backtrack –Enables analysis of under-approximation of program behavior –Preserves errors to safety properties Automated support for two abstractions: –Shape abstraction for singly linked lists –Shape abstraction for arrays

15 15 Abstractions for Lists and Arrays Shape abstraction for singly linked lists –Summarize contiguous list elements not pointed to by program variables into summary nodes –Valuation of a summary node Union of valuations of summarized nodes –Subsumption checking between abstracted states Same algorithm as subsumption checking for symbolic states Treat summary node as an “ordinary” node Abstraction for arrays –Represent array as a singly linked list –Abstraction similar to shape abstraction for linked lists

16 16 Abstraction for Lists E 1 = V 0  (E 2 = V 1  E 2 = V 2 )  E 3 = V 3 PC: V 0 ≤ v  V 1 ≤ v  V 2 ≤ v V0V0 next V1V1 n V2V2 this V3V3 next V0V0 { V 1 n, V 2 } next this V3V3 next V0V0 V1V1 n V2V2 this V0V0 next V1V1 n V2V2 this  Symbolic states Abstracted states 2:3:1: 2:3: PC: V 0 ≤ v  V 1 ≤ v PC: V 0 ≤ v  V 1 ≤ v  V 2 ≤ v E 1 = V 0  E 2 = V 1  E 3 = V 2 PC: V 0 ≤ v  V 1 ≤ v Unmatched!

17 17 Experience Implementation –Subsumption checking –Shape abstractions for singly linked lists and arrays Error detection in Java programs –List partition: 10 step counterexample –Array partition: 30 step counterexample Analyzed corrected programs –Abstraction effective in limiting the state space

18 18 Related Work Under-approximation based abstraction for property falsification –Ball et al. [CAV’05] Our previous work –Choice free search [TACAS’01] –Concrete model checking with abstract matching and refinement [CAV’05] Model driven software verification –Use abstraction mappings during concrete model checking – Holzmann and Joshi [SPIN’04] Symbolic execution –[King’76], Symstra [TACAS’05] Shape analysis –TVLA, …

19 19 Conclusion and Future Work Symbolic execution with subsumption checking –Explores only feasible program behavior –Handles heap structures and arrays Abstractions for lists and arrays –Explore an under-approximation of feasible behavior –Complementary to over-approximation based abstraction Implementation –Uses Java PathFinder model checker –Applied for error detection in Java programs Future Work –Investigate other shape abstractions, combine with predicate abstraction –Test input generation, property verification (rather than refutation) –Automatic abstraction refinement, compositional analysis

Download ppt "Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.

Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Similar presentations

Ads by Google