1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Korat Automated Testing Based on Java Predicates Chandrasekhar Boyapati, Sarfraz Khurshid, Darko Marinov MIT ISSTA 2002 Rome, Italy.
A Survey of Approaches for Automated Unit Testing
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Semantics Static semantics Dynamic semantics attribute grammars
Delta Debugging and Model Checkers for fault localization
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Intermediate Code Generation
Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Symbolic execution © Marcelo d’Amorim 2010.
1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
Program Exploration with Pex Nikolai Tillmann, Peli de Halleux Pex
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.
DySy: Dynamic Symbolic Execution for Invariant Inference.
Quantified Formulas - Decision Procedure Daniel Kroening, Ofer Strichman Presented by Changki Hong 07 NOV 08.
Introduction. 2COMPSCI Computer Science Fundamentals.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
Java Pathfinder JPF Tutorial - Test Input Generation With Java Pathfinder.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
Model Counting A Quest for Nails 2 Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
jFuzz – Java based Whitebox Fuzzing
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Declarative Programming in Java using JSetL E. PanegaiG. Rossi Dipartimento di Matematica Università di Parma Roma, Giugno 2005 Convegno Italiano.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Higher Computing Science 2016 Prelim Revision. Topics to revise Computational Constructs parameter passing (value and reference, formal and actual) sub-programs/routines,
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.
On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.
On Sequentializing Concurrent Programs
Introduction to Linked Lists
Binary Search one reason that we care about sorting is that it is much faster to search a sorted list compared to sorting an unsorted list the classic.
Design by Contract Fall 2016 Version.
CSCI1600: Embedded and Real Time Software
Dynamic Symbolic Data Structure Repair
LPSAT: A Unified Approach to RTL Satisfiability
CSCI1600: Embedded and Real Time Software
Over-Approximating Boolean Programs with Unbounded Thread Creation
Thanyapat Sakunkonchak Masahiro Fujita
Coding Concepts (Basics)
Automatic Test Generation SymCrete
CSCI1600: Embedded and Real Time Software
Introduction to Data Structure
Symbolic Execution and Test-input Generation
CUTE: A Concolic Unit Testing Engine for C
CSCI1600: Embedded and Real Time Software
Presentation transcript:

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing Sarfraz Khurshid, Corina S. P ă s ă reanu, and Willem Visser TACAS 2003

2/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Contents  Introduction  General Methodology  Background  Symbolic Execution  Two-fold Generalization of Symbolic Execution  Lazy initialization  Instrumentation  Implementations  Applications  Conclusion

3/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Introduction (1/2)  Modern software systems are concurrent and manipulate complex dynamically allocated data structures (e.g., linked lists or binary trees)  Two common techniques for checking correctness of software  Testing  widely used but doesn’t give us an assurance  is not good at finding errors related to concurrent behavior  Model Checking  is automatic and good at analyzing concurrent systems  suffers from state-space explosion problem and typically requires a closed system, i.e., bound on input sizes Symbolic execution + model checking Symbolic execution + model checking

4/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Introduction (2/2)  Symbolic execution  well-known program analysis  traditionally arose in the context of checking sequential programs with a fixed number of integer variables  requires dedicated tools to perform the analyses and do not handle concurrent systems with complex inputs Generalization of traditional symbolic execution 1.Source to source translation to instrument a model checkable program 2.Novel symbolic execution algorithm for handling dynamically allocated structures (e.g., lists and trees)

5/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB General Methodology Code Instrumentation Model Checking Decision Procedure Source Program Instrumented Program Counter example continue/backtrack Correctness specification precondition/ postcondition

6/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Background (1/2)  Symbolic Execution  The main idea is to use symbolic values, instead of actual data, as input values, and to represent the value of program variables as expressions  The state of a symbolically executed program includes the symbolic values of program variables and a path condition (pc)  A symbolic execution tree characterizes the execution paths followed during the symbolic execution of a program

7/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Background (2/2)  Symbolic Execution (Example) int x, y; 1: if (x > y) { 2: x = x + y ; 3: y = x – y ; 4: x = x – y ; 5: if (x – y > 0) 6: assert(false); } x : =A y := B PC := true x : = A y := B PC := A>B x : =A y := B PC := A<=B x : =A+B, y :=B PC := A>B x : =A+B, y :=A PC := A>B x : =B, y :=A PC := A>B x : =B, y :=A PC := A>B & B-A>0 FALSE! x : =B, y :=A PC := A>B & B-A <=

8/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Two-fold Generalization of symbolic execution (1/9)  Lazy initialization  is an algorithm for generalizing traditional symbolic execution to support advanced constructs of modern programming languages, such as Java and C++  A key feature of the lazy initialization algorithm is that it starts execution of the method on inputs with uninitialized fields and use lazy initialization to assign values to these field, i.e., it initialize fields when they are first accessed during the method’s symbolic execution

9/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB  Lazy initialization Two-fold Generalization of symbolic execution (2/9) if ( F is uninitialized ) { if ( F is a reference field of user-defined type T ) { nondeterministically initialize F to 1. null 2. a new object of class T (with uninitialized field values) 3. an object created during a prior initialization of a field of type T if ( method precondition is violated ) backtrack(); } if ( F is a primitive field ) initialize F to a new symbolic value of appropriate type } decision procedure : checks the path condition is satisfied. If not, backtracks

10/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB class Node { int elem; Node next; Node swapNode() { 1: if (next != null) 2: if (elem > next.elem) { 3: Node t = next; 4: next = t.next; 5: t.next = this; 6: return t; } return this; } } Two-fold Generalization of symbolic execution (3/9)  Lazy initialization (example) ? next Node instance with uninitialized element next field not accessed

11/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB ? ? next ? ? ? consider executing 1: if (next != null) Precondition: acyclic list Two-fold Generalization of symbolic execution (4/9) ? next ? 1

12/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB consider executing 2: if (elem - next.elem>0) Two-fold Generalization of symbolic execution (5/9) ? next ? 1 E0 next ? E0 next E1 next E0 next E1 next 2 PC : E0 > E1, E0 next E1 next 2 PC : E0 <= E1, } initialize “elem” } initialize “next.elem”

13/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB E0 next E1 next t null t E0 next E1 next ? E0 next E1 t next E0 next E1 next t E0 next E1 next t consider executing 4: next = t.next; Precondition: acyclic list E0E1 next t null next t E0E1 next ? Two-fold Generalization of symbolic execution (6/9)

14/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB  Instrumentation  Two steps 1. The integer fields and operations are instrumented 1. The declared type of integer fields of input objects is changed to Expression, which is a library class for manipulation of symbolic integer expression 2. The field accesses are instrumented 1. Field reads are replaced by get method, get methods implement the lazy initialization 2. Filed updates are replaced by set method Two-fold Generalization of symbolic execution (7/9)

15/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB  Instrumentation (example) Two-fold Generalization of symbolic execution (8/9) class Node { int elem; Node next; Node swapNode () { if (next !=null) if (elem – next.elem) >0) { Node t = next; next = t.next; t.next = this; return t; } return this; } class Node { Expression elem; Node next; boolean _next_is_initialized; boolean _elem_is_initialized; Node swapNode () { if(_get_next() != null) if(Expression._pc._update_GT( _get_elem()._minus( _get_next()._get_elem()), new IntegerConstant(0) ) { Node t = _get_next(); _set_next(t._get_next()); t._set_next(this); return t; } return this; } }

16/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB  Instrumentation (example) Two-fold Generalization of symbolic execution (9/9) class Expression { static PathCondition _pc; Expression _minus(Expression e) { … } class PathCondition { Constraints c; boolean _update_GT(Expression e1, Expression e2) { boolean result = choose_boolean(); if (result) c.add_constraint_GT(e1, e2); else c.add_constraint_LE(e1, e2); if (!c.is_satisfiable()) backtrack(); return result; }} nondeterministic choice add (e1 > e2) to the path condition add (e1 <= e2) to the path condition decision procedure pc

17/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Implementations  Code instrumentation  build on the Korat tool  Model checking  Java PathFinder (JPF)  Decision procedure  Java implementation of the Omega library

18/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Applications (1/2)  Checking multithreaded programs with inputs distributed sorting method

19/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Applications (2/2)  The implementation to symbolically execute distributed sort took 11 seconds to analyze the method’s correctness and it produced a counterexample input list : [X]  [Y]  [Z] such that X > Y > Z Thread- 1 : swaps X and Y Thread -2 : swaps X and Z resulting list : [Y]  [Z]  [X] ; Y and Z out of order

20/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Conclusions  Novel framework based on symbolic execution, for automated checking of concurrent software systems that manipulate complex data structures  Two-fold generalization  Future work  Plan to integrate different constraints solvers that will allow us to handle floats and non-linear constraints  Symbolic execution during model checking is powerful but we don’t know how well it scales to real applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.