Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Slides:



Advertisements
Similar presentations
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Advertisements

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
50.530: Software Engineering
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.
Satisfiability Modulo Theories (An introduction)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
90-723: Data Structures and Algorithms for Information Processing Copyright © 1999, Carnegie Mellon. All Rights Reserved. 1 Lecture 2: Basics Data Structures.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
1 Static Analysis Methods CSSE 376 Software Quality Assurance Rose-Hulman Institute of Technology March 20, 2007.
White Box Testing and Symbolic Execution Written by Michael Beder.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
White Box Testing and Symbolic Execution Written by Michael Beder.
White Box Testing and Symbolic Execution Written by Michael Beder.
Program Analysis Using Randomization Sumit Gulwani, George Necula (U.C. Berkeley)
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Global Value Numbering Using Random Interpretation OSQ Retreat, May 2003 Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Randomized Analysis with Repeated Conditionals for Affine Equalities Bor-Yuh Evan Chang CS263 Final Project December 4, 2002.
Overview of program analysis Mooly Sagiv html://
Role Analysis Victor Kunkac, Patric Lam, Martin Rinard Laboratory for Computer Science, MIT Presentation by George Caragea CMSC631,
Building An Interpreter After having done all of the analysis, it’s possible to run the program directly rather than compile it … and it may be worth it.
Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS June 12, 2002.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 9 Functional Testing
Automatic Complexity Analysis of Simple Imperative Programs Zachi Mann.
Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.
Unit 2 – Week 4 Reasoning with Linear Equations and Inequalities Lesson 1.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Lecture 4. RAM Model, Space and Time Complexity
What is software testing? 1 What are the problems of software testing? 2 Time is limited Applications are complex Requirements are fluid.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
4.1 Solving Linear Inequalities
Detecting Equality of Variables in Programs Bowen Alpern, Mark N. Wegman, F. Kenneth Zadeck Presented by: Abdulrahman Mahmoud.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
The Yogi Project Software property checking via static analysis and testing Aditya V. Nori, Sriram K. Rajamani, Sai Deep Tetali, Aditya V. Thakur Microsoft.
Solving Linear Equations Define and use: Linear Equation in one variable, Solution types, Equivalent Equations.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
THE GAME THAT GOES BOOM!. Game Conception As a group we thought about the kind of games people like. Our criteria was: -Easy to pick up -Short game time.
Probabilistic Verification of Discrete Event Systems Håkan L. S. Younes.
Condition Testing. Condition testing is a test case design method that exercises the logical conditions contained in a program module. A simple condition.
Formal Semantics of Programming Languages 虞慧群 Topic 2: Operational Semantics.
Knowledge Repn. & Reasoning Lecture #9: Propositional Logic UIUC CS 498: Section EA Professor: Eyal Amir Fall Semester 2005.
Algorithms and Decision Procedures for Regular Languages Chapter 9.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Lesson 7-3 Solving Linear Systems of Equations using Elimination.
Satisfiability Modulo Theories and DPLL(T) Andrew Reynolds March 18, 2015.
Chapter 2 Equations and Inequalities in One Variable
Symbolic Implementation of the Best Transformer
Program Slicing Baishakhi Ray University of Virginia
Introduction to Data Structures
The Zoo of Software Security Techniques
Presentation transcript:

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley

a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview

a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview Random testing needs to execute all 4 paths to verify assertions 

a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview w 1 = 5 i = 3, a = 0, b = 3 i = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 a join = w 1  a false + ( 1 – w 1 )  a true

a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview w 1 = 5 i = 3, a = 0, b = 3 i = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 w 2 = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = -1 i = 3, a = -4, b = 7, c = 23 

Random Interpretation Random Testing dynamically testing the program using randomly generated input Pros: Simple implementation Cons: Limited code coverage Abstract Interpretation statically analyzing selected properties of the program using symbolic execution Pros: Static analysis Cons: Conservative / Complicated

Random Interpretation statically analyzing selected properties of the program using symbolic random states Pros: Static analysis, Simple implementation Cons: Probabilistically sound Small number of runs guarantee a high probability of soundness

Intra-procedural Framework Program Model: State captured as polynomials, which are linear in program variables Goal: To detect equivalences between polynomials c := b – ac := 2a + b w = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = -1 i = 3, a = -4, b = 7, c = 23

Intra-procedural Framework Algorithm 1.Choose random values for input variables 2.Execute assignments  Use property-specific Eval() to abstract program state as polynomials 3.Execute both branches of conditionals  Use Affine Join to combine both program states at join points 4.Compare polynomials to decide equality

Intra-procedural Framework Design of Eval()s  Property (abstraction) specific  Linear arithmetic e := x | e 1 § e 2 | c  e P(e) := e  Un-interpreted functions e := x | F( e ) P( x ) := x P( F( e ) ) := c 1  P(e) + c 2  Completeness and Soundness  P(e 1 ) = P(e 2 ) iff e 1 = e 2  Linearity  P(e) is linear in program variables

Intra-procedural Framework Affine Join  To combine (branched) program states at join points   =  w (  1,  2 ) a := 0 b := i a := i – 2 b := 2 true false * w = 5 i = 3, a = 0, b = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7  11 22   ( x ) := w   1 ( x ) + (1-w)   2 ( x )

Intra-procedural Framework Affine Join  Completeness If polynomials P 1 and P 2 are equivalent in states  1 and  2, Then they are also equivalent in state    Soundness If polynomials P 1 and P 2 are not equivalent in either state  1 and  2, Then it is unlikely that they are equivalent in state   Generate a small number t of runs

Inter-Procedural Extensions 1.Maintain symbolic state summaries 2.Generate multiple fresh runs

Inter-Procedural Extensions a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * w 1 = 5 i = 3, a = 0, b = 3 i = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 w 2 = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = -1 i = 3, a = -4, b = 7, c = 23 

Inter-Procedural Extensions a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * w 1 = 5 i = 2, a = 0, b = 2 i = 3 i = 2, a = 0, b = 2 w 2 = 2 i = 2, a = 0, b = 2, c = 2  i = 2

Inter-Procedural Extensions a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * w 1 = 5 a = 0, b = i i a = i - 2, b = 2 a = 8 – 4i, b = 5i - 8 w 2 = 2 a = 8 – 4i, b = 5i – 8,c = 9i - 16 a = 8 – 4i, b = 5i – 8, c = 8 – 3i a = 8 – 4i, b = 5i – 8, c = 21i Maintain symbolic state summaries

Inter-Procedural Extensions u := i + 1u := 3 true false * w = 5 u = i + 1 i u = 3 u = 5i - 7 return u x := A(2) y := A(1) z := A(1) assert (x = 3) assert (y = z) Procedure A Procedure B x = 3 y = -2 z = -2 Unsound way of summarizing multiple calls

Inter-Procedural Extensions u := i + 1u := 3 true false * w 1 = 5 u = i + 1 i u = 3 u = 7 – 2i return u x := A(2) y := A(1) z := A(1) assert (x = 3) assert (y = z) Procedure A Procedure B x =  7 (5i – 7, 7 – 2i) y =  3 (5i – 7, 7 – 2i) z =  5 (5i – 7, 7 – 2i) 2. Generate multiple fresh runs u = i + 1 u = 3 w 2 = -2 u = 5i - 7 x =  6 (5i – 7, 7 – 2i) y =  0 (5i – 7, 7 – 2i) z =  1 (5i – 7, 7 – 2i)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.