1 Automatic Predicate Abstraction of C Programs Parts of the slides are from

Slides:



Advertisements
Similar presentations
A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars
Intermediate Code Generation
Programming Languages and Paradigms
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Verification of parameterised systems
Program Proving Notes Ellen L. Walker.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages
CSE Winter 2008 Introduction to Program Verification symbolic execution continued.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Axiomatic Semantics Dr. M Al-Mulhem ICS
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 1.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Describing Syntax and Semantics
CS241 PASCAL I - Control Structures1 PASCAL I - Control Structures Philip Fees CS241.
Semantics “Semantics” has to do with the meaning of a program. We will consider two types of semantics: –Static semantics: semantics which can be enforced.
Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft
Java Methods By J. W. Rider. Java Methods Modularity Declaring methods –Header, signature, prototype Static Void Local variables –this Return Reentrancy.
Predicates and Quantifiers
1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.
Expressions creating information. topics  operators: precedence, associativity, parentheses, overloading  operands: side-effects, coercion  arithmetic,
CSE 755, part3 Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP: ::=skip | | | | ; | | Only integer vars; no procedures/fns; vars declared.
CSE S. Tanimoto Lambda Calculus 1 Lambda Calculus What is the simplest functional language that is still Turing complete? Where do functional languages.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Reasoning about programs March CSE 403, Winter 2011, Brun.
CSE 230 The -Calculus. Background Developed in 1930’s by Alonzo Church Studied in logic and computer science Test bed for procedural and functional PLs.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
1 Georgia Tech, IIC, GVU, 2006 MAGIC Lab Rossignac Lecture 02: QUANTIFIERS Sections 1.3 and 1.4 Jarek Rossignac CS1050:
Chapter 2 Symbolic Logic. Section 2-1 Truth, Equivalence and Implication.
SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.
CS241 PASCAL I - Control Structures1 PASCAL Control Structures Modified Slides of Philip Fees.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.
Section 1.4. Propositional Functions Propositional functions become propositions (and have truth values) when their variables are each replaced by a value.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Memory Management Functions
Disjunctive Normal Form
Elementary Metamathematics
Programming Languages and Compilers (CS 421)
Semantics In Text: Chapter 3.
MA/CSSE 474 More Math Review Theory of Computation
UNIT V Run Time Environments.
CSE S. Tanimoto Lambda Calculus
Programming Languages and Compilers (CS 421)
Presentation transcript:

1 Automatic Predicate Abstraction of C Programs Parts of the slides are from

2 Predicate abstraction by C2BP program P Boolean program BP(P,E) C2BP predicates E

3 C2BP: Predicate Abstraction for C Programs Given P : a C program E = {e 1,...,e n } : set of C boolean expressions over the variables in P –no side effects, no procedure calls Produces a boolean program B same control-flow structure as P only vars are 3-valued booleans {{e 1 },...,{e n }} properties true of B are true of P

4 Assumptions Operates on intermediate representation of C language –CFG : if-then-else statements and gotos –expressions : side-effect free, no short-circuit evaluation, no multiple dereferences(e.g. **p) –Function call occurs at the top-most level z=x+f(y);  w=f(y); z=x+w; –Return statement is in the following form: return r; (where r is a local variable) Uses a logical memory model –for all i: p+i = p (where p is a pointer)

5 Weak/Strong predicates p is weaker than q iff q ) p For example, –‘T’ is weaker than ‘F’ since ‘F’ ) ‘T’ –x < 5 is weaker than x < 4 since x < 4 ) x < 5 ‘Weak’ means ‘easy to be satisfied’ –‘T’ is the weakest predicate. ‘Strong’ means ‘hard to be satisfied’ –‘F’ is the strongest predicate.

6 Precondition p 2 P(s, q) iff –8 M 2 States : M 2 [[p]] ) ([[s]] M) 2 [[q]] (where [[p]] denotes the states that satisfy p and [[s]] denotes the transfer function) P(s, q) = the set of predicates whose truth before s entails the truth of q after s terminates Example: –(y<3) 2 P(x=y+1, x<20) –(y<19) 2 P(x=y+1, x<20) It is easy to see that if p,p’ 2 P(s,q) then p Ç p’ 2 P(s,q) –i.e, P(s,q) is closed under Ç –Note that p Ç p’ is weaker than p and p’

7 Weakest Precondition WP(s, q) = –the weakest predicate p such that p 2 P(s, q) –equivalently, Ç (P(s,q)) For assignment statement, –WP(x = e, q) = q[e/x] Example: –WP(x = y+1, x<20) = (x<20)[(y+1)/x] = (y+1)<20 = (y<19) –(y<3) 2 P(x = y+1, x<20) but (y<3) ) (y<19)

8 Predicate strengthening Example –Given only E={ x<19, y==7, y==z, z<8}, –WP(x = y+1, x<19) = y<18 -> we don’t have (y<18) as a predicate! panic? –Find the weakest boolean expression consisting of E that implies (y<18)! How? –S E (p) = Ç { e | e is a boolean expression over E, e ) p } –But by disjunctive normal form theorem… –c 1 Æ … Æ c n is a cube over E iff (c i = e i or c i = : e i ) and e i 2 E –S E (p) = Ç { e | e is a cube over E, e ) p } –S E (y<18) = (y==7) Ç (y==z Æ z<8)

9 Strengthening & Weakening p S E (p) W E (p)

10 Translating Assignment Statements In general, –“WP(s, e i ) is true before s” implies “predicate e i is true after s” –“WP(s, : e i ) is true before s” implies “predicate e i is false after s “ But in some cases, WP(s, e i ) is not expressible using E The assignment statement “x=e;” is translated to –{e i } = {S E (WP(x=e, e i ))} ? true : {S E (WP(x=e, : e i ))} ? false : *; for each e i 2 E

11 Translation example Translating “x = y+1;” –Given E={ x<19, y==7, y==z, z<8}, –S E (WP(x=y+1, x<19)) = S E (y<18) = (y==7) Ç (y==z Æ z<8) –S E (WP(x=y+1, : (x<19))) = S E (WP(x=y+1, x ¸ 20)) = S E (y ¸ 19) = false –For {x<19}, {x<19} = ( {y==7} || ( {y==z} && {z<8} ) ) ? true : false ? false : *; –Similar for {y==7}, {y==z}, {z<8}

12 Handling Pointers Statement : *p = y; predicates E = { x==5 } Weakest Precondition: –WP(*p=y, x==5) = (x==5)[y/*p] = (x==5)??? –What if *p and x alias? Correct Weakest Precondition: –WP(*p=y, x==5) = (p==&x Æ y==5) Ç (p!=&x Æ x==5) Uses Das’s pointer analysis to prune infeasible alias scenarios

13 Translating conditional statements (1/2) if (e) { … } else { … } is translated to if (*) { assume(e); … } else { assume( : e); … } But what if ‘e’ is not expressible in terms of the predicates in E? Then find a condition weaker than ‘e’ such that it is expressible in terms of E

14 Predicate weakening W E (p) = the strongest predicate among those which are expressible in terms of ‘E’ and are implied by ‘p’ W E (p) = : (S E ( : p))

15 Translating conditional statements (2/2) if (e) { … } else { … } is translated to if (*) { assume(W E (e)); … } else { assume(W E ( : e)); … } Example –E = { x>3, x==10 } –if(x>5) { … } else { … }  –if(*) { assume(x>3); … } else { assume(!(x==10)); … }

16 Handling Procedures Procedures abstracted in two passes: –a signature is produced for each procedure in isolation –procedure calls are abstracted using the callees’ signatures only

17 Global/Local predicates Each predicate in E is annotated as being either global or local to a particular procedure e i 2 E is … –global iff e i refers to global variables only –local to procedure R iff e i refers to a local variable of R (e i cannot refer to local variables of another procedure due to scoping)

18 Formal/Return predicates e i 2 E is … –a formal predicate of procedure R iff e i is a local predicate of R and doesn’t refer to any local variables of R –a return predicate of procedure R iff one of the following conditions is true: (1) e i refers to return variable ‘r’ of R and doesn’t refer to any local variable except ‘r’ (2) e i is a formal predicate and e i refers to a global var or to a pointer dereference of formal parameter of R

19 Example program int bar(int *q,int y,int z) { int m1,m2; m1 = y+1; return m1; } void foo(int *p, int x) { int r; r=bar(p,x,*p); } bar { y>=0; // formal *q<=y; // formal, return y==m1; // return } foo { *p<=0; // formal, return x==0; // formal r==0 // local }

20 Translating procedure “bar” int bar(int *q,int y,int z) { int m1,m2; m1 = y+1; return m1; } bar({y>=0}, {*q<=y}) { bool {y==m1}; {y==m1} = false ? true : !{y==m1} ? false : *; } bar { y>=0; // formal *q<=y; // formal, return y==m1; // return }

21 Translating procedure “foo” “foo” invokes “bar” but only the signature of “bar” is needed to handle the procedure call Translated form of “foo”: foo({*p<=0}, {x==0}) { bool {r==0}; … }

22 Signature of procedure “bar” int bar(int *q,int y,int z) { int m1,m2; m1 = y+1; return m1; } bar { y>=0; // formal *q<=y; // formal, return y==m1; // return } Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) as formal predicates Returns (*q<=y), (y==m1) as return predicates Return var = m1

23 Resolving/Strengthening formal predicates r=bar(p,x,*p); (in procedure foo) Formal predicates of “bar” (y>=0)[p/q, x/y, *p/z] = (x>=0) –S foo (x>=0) = (x==0) –S foo ( : (x>=0)) = false (*q<=y)[p/q, x/y, *p/z] = (*p<=x) –S foo (*p<=x) = (*p<=0) Æ (x==0) –S foo ( : (*p<=x)) = : (*p<=0) Æ (x==0) Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

24 Translated procedure invocation prm1 = {x==0} ? true : false ? false : *; prm2 = {*p<=0}&&{x==0} ? true : !{*p<=0}&&{x==0} ? false : *; r1,r2 = bar(prm1,prm2); “bar” returns the resulting value of predicates (*q<=y) and (y==m1) Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

25 Resolving return predicates r=bar(p,x,*p); (in procedure foo) Return predicates of “bar” (*q<=y)[r/m1, p/q, x/y, *p/z] = (*p<=x) (y==m1)[r/m1, p/q, x/y, *p/z] = (x==r) Let R = { (*p<=x), (x==r) } Predicates of “foo” to be updated –(*p<=0) (“p” is passed to “bar”) –(r==0) (“r” is assigned by proc call) Let U foo = { (*p<=x), (r==0) } Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

26 How to update caller’s predicates r=bar(p,x,*p); (in procedure foo) R = { (*p<=x), (x==r) } U foo = { (*p<=0), (r==0) } Let T = R [ (E foo \ U foo ) = { (*p<=x), (x==r), (x==0) } Strengthening U foo over T –S T (*p<=0) = (*p<=x) Æ (x==0) –S T ( : (*p<=0)) = : (*p<=x) Æ (x==0) –S T (r==0) = (x==r) Æ (x==0) –S T ( : (r==0)) = : (x==r) Æ (x==0) Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

27 Translated procedure return …; r1,r2 = bar(prm1,prm2); r1,r2 represents {*p<=x}, {x==r} U foo strengthened over T –S T (*p<=0) = (*p<=x) Æ (x==0) –S T ( : (*p<=0)) = : (*p<=x) Æ (x==0) –S T (r==0) = (x==r) Æ (x==0) –S T ( : (r==0)) = : (x==r) Æ (x==0) Updating predicates of U foo –{*p<=0} = r1&&{x==0} : true ? !r1&&{x==0} : false ? *; –{r==0} = r2&&{x==0} : true ? !r2&&{x==0} : false ? *; Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

28 Finally… foo({*p<=0}, {x==0}) { bool {r==0}; bool prm1, prm2, r1, r2; prm1 = {x==0} ? true : false ? false : *; prm2 = {*p<=0}&&{x==0} ? true : !{*p<=0}&&{x==0} ? false : *; r1,r2 = bar(prm1,prm2); {*p<=0} = r1&&(x==0) : true ? !r1&&(x==0) : false ? *; {r==0} = r2&&(x==0) : true ? !r2&&(x==0) : false ? *; } Signature of “bar”: int bar(int *q,int y,int z); Takes (y>=0), (*q<=y) Returns (*q<=y), (y==m1) Return var = m1 Predicates of “foo”: *p<=0; x==0; r==0

29 Formal Properties of C2BP soundness –B has a superset of the feasible paths in P –If {e i } is true (false) at some point on a path in B, then e i is true (false) at that point along a corresponding path in P complexity –linear in size of program –exponential in number of predicates

30 Conclusions Contributions –C2BP handles the constructs of C pointers, recursion, structs, casts modular abstraction of procedures –Provably sound Defects –Doesn’t use physical memory model

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.