Error Explanation with Distance Metrics 2006.11.2 최윤라

Contents Overview Distance Metric d Producing Explanation (s) -Slicing Experiments

Overview CBMC explain S S’ SAT solver PBS s P + spec counterexample closest successful execution S S’ SAT solver PBS finds closest successful execution as measured by distance metric finds a counterexample

Explanation with distance metrics The metric d is based on Static Single Assignment (SSA) (plus loop unrolling). CBMC model checker (bounded model checker for C programs) translates an ANSI C program into a set of equations. An execution of the program is just a solution to this set of equations.

SSA Transformation int main () { int input1#0,input2#0,input3#0; int least#0 = input1#0; int most#0 = input1#0; most#1 = input2#0; guard#1 = most#0<input2#0; most#2=guard#1?most#1:most#0; most#3 = input3#0; guard#2 = most#2<input3#0; most#4=guard#2?most#3:most#2; most#5 = input2#0; guard#3 = least#0input2#0; most#6=guard#3?most#5:most#4; least#1 = input3#0; guard#4 = least#0input3#0; least#2= guard#4?least#1:least#0; assert(least#2<=most#6); } int main () { int input1, input2, input3; int least = input1; int most = input1; if (most < input2) most = input2; if (most < input3) most = input3; if (least > input2) if (least > input3) least = input3; assert(least<=most); }

Transformation to Equations int main () { int input1#0,input2#0,input3#0; int least#0 = input1#0; int most#0 = input1#0; most#1 = input2#0; guard#1 = most#0<input2#0; most#2=guard#1?most#1:most#0; most#3 = input3#0; guard#2 = most#2<input3#0; most#4=guard#2?most#3:most#2; most#5 = input2#0; guard#3 = least#0input2#0; most#6=guard#3?most#5:most#4; least#1 = input3#0; guard#4 = least#0input3#0; least#2= guard#4?least#1:least#0; assert(least#2<=most#6); } (least#0 == input1#0  most#0 == input1#0  most#1 == input2#0  guard#1 == most#0<input2#0  most#2==guard#1?most#1:most#0 most#3 == input3#0  guard#2 == most#2<input3#0  most#4==guard#2?most#3:most#2 most#5 == input2#0  guard#3 == least#0input2#0  most#6==guard#3?most#5:most#4 least#1 == input3#0  guard#4 == least#0input3#0  least#2== guard#4?least#1:least#0  least#2<=most#6)

Negation of Claim int main () { int input1#0,input2#0,input3#0; int least#0 = input1#0; int most#0 = input1#0; most#1 = input2#0; guard#1 = most#0<input2#0; most#2=guard#1?most#1:most#0; most#3 = input3#0; guard#2 = most#2<input3#0; most#4=guard#2?most#3:most#2; most#5 = input2#0; guard#3 = least#0input2#0; most#6=guard#3?most#5:most#4; least#1 = input3#0; guard#4 = least#0input3#0; least#2= guard#4?least#1:least#0; assert(least#2<=most#6); } (least#0 == input1#0  most#0 == input1#0  most#1 == input2#0  guard#1 == most#0<input2#0  most#2==guard#1?most#1:most#0 most#3 == input3#0  guard#2 == most#2<input3#0  most#4==guard#2?most#3:most#2 most#5 == input2#0  guard#3 == least#0input2#0  most#6==guard#3?most#5:most#4 least#1 == input3#0  guard#4 == least#0input3#0  least#2== guard#4?least#1:least#0  least#2>most#6)

Execution Representation counterexample input1#0 = 1 input2#0 = 0 input3#0 = 1 least#0 = 1 most#0 = 0 \guard#1 = FALSE most#1 = 0 most#2 = 1 \guard#2 = FALSE most#3 = 1 most#4 = 1 \guard#3 = TRUE most#5 = 0 most#6 = 0 \guard#4 = FALSE \least#1 = 1 \least#2 = 1 (least#0 == input1#0  most#0 == input1#0  most#1 == input2#0  guard#1 == most#0<input2#0  most#2==guard#1?most#1:most#0 most#3 == input3#0  guard#2 == most#2<input3#0  most#4==guard#2?most#3:most#2 most#5 == input2#0  guard#3 == least#0input2#0  most#6==guard#3?most#5:most#4 least#1 == input3#0  guard#4 == least#0input3#0  least#2== guard#4?least#1:least#0  least#2>most#6)

Distance Metric d counterexample successful execution d=5 input1#0 = 1 least#0 = 1 most#0 = 1 \guard#1 = FALSE most#1 = 0 most#2 = 1 \guard#2 = FALSE most#3 = 1 most#4 = 1 \guard#3 = TRUE most#5 = 0 most#6 = 0 \guard#4 = FALSE \least#1 = 1 \least#2 = 1 input1#0 = 1 input2#0 = 1 input3#0 = 1 least#0 = 1 most#0 = 1 \guard#1 = FALSE most#1 = 1 most#2 = 1 \guard#2 = FALSE most#3 = 1 most#4 = 1 \guard#3 = FALSE most#5 = 1 most#6 = 1 \guard#4 = FALSE \least#1 = 1 \least#2 = 1 d=5

New SAT variables counterexample input1#0 = 1 least#0 = 1 most#0 = 1 \guard#1 = FALSE most#1 = 0 most#2 = 1 \guard#2 = FALSE most#3 = 1 most#4 = 1 \guard#3 = TRUE most#5 = 0 most#6 = 0 \guard#4 = FALSE \least#1 = 1 \least#2 = 1 input1#0 == (input1#0 != 1) input2#0 == (input2#0 != 0) input3#0 == (input3#0 != 1) least#0 == (least#0 != 1) most#0 == (most#0 != 1) \guard#1 == (\guard#1 != FALSE) most#1 == (most#1 == 0) most#2 == (most#2 == 1) \guard#2 == (\guard#2 != FALSE) most#3 == (most#3 != 1) most#4 == (most#4 != 1) \guard#3 == (\guard#3 != TRUE) most#5 == (most#5 != 0) most#6 == (most#6 != 0) \guard#4 == (\guard#4 != FALSE) \least#1 == (\least#1 != 1) \least#2 == (\least#2 != 1)

-Slicing irrelevant to assertion ! int main () { int input1,input2; int x=1,y=1,z=1; if (input1 > 0) { x += 5; y += 6; z += 4; } if (input2 > 0) { x += 6; y += 5; assert((x<10)||(y<10)); irrelevant to assertion ! What is the smallest subset of changes in values between two executions that result in a change in the value of the predicate?

algorithm Produce an explanation (a set of s) for a counterexample. Modify the SAT constraints replace the constraints for variables in s with (vi=valia)((vi=valib)(vi=expr)) replace the constraints for all other vars with vi=valia Find a new solution to the modified constraint system.

-Slicing for the Example partial constraints for slice.c -slicing constraints for slice.c -slice for slice.c

Experiments Scores were generally much better than other methods—when they could be applied at all. Much more consistent. Testing-based methods of Renieris and Reiss occasionally worked better Also gave useless (score 0) explanations much of the time.