Path Slicing Presentation by Massimiliano Menarini Ranjit Jhala and Rupak Majumdar, “Path Slicing” PLDI 05 (June 2005, Chicago, Illinois)

Outline Use of Path Slices  Model checking and counter examples Control Flow Automata Weakest Preconditions Properties of Path Slices  Completeness  Soundness Path Slice Algorithm Experimental Results Conclusion

Use of Path Slices Model checking  Allow for the exploration of the execution space of an application to find some error  Return a counter example: an execution path form the start state to an error state Motivation for using Path Slicing techniques  The returned counter example can be very long For example the paper presents an experiment where a property checked on gcc returned a 82,695 basic blocks counter example  Obtain understandable counter examples We are interested in only the operations that affect the reachability of the error state (potentially a fraction of the full counter example)

Example of CFA Source Ex() { 0: if(a>0) 1: x=1; 2: c=0; 3: for(i=1;i<1000;i++) 4: c=c+f(i); 5: if(a>0){ 6: if(x==0){ ERR: }}... } CFA ’4 5 6 ErrExit [a>0] [a≤0] x=1 c=0 i=1[i<1000] [i≥1000] c=c+f(i) i++ [a>0] [a≤0] [x==0]

Control Flow Automata It is a CFG with operations on the edges and program counter on the vertexes Formally  Operations (Ops) of 2 types Assignment: l:=e assume: assume(p)  CFA C f =(PC f, pc 0, pc out, E f, V f )  PC f is a set of locations (program counters)  pc 0  PC f is the start location  pc out  PC f is the exit location  E f set of edges, E f  PC f  Ops  PC f  V f set of variables (?)

Weakest Preconditions Given a logical formula  over a set of variables X.   represents all X-states where the values of X satisfy  The weakest precondition (WP) of  with regard to the operation op  Ops (WP. .op) is the set of states that can reach a state in  after executing op X={a} Ops={a=0, a=1}  =[a==1] Therefore  identifies {a=1} WP. .(a=1)={all} WP. .(a=0)={Ø}

Example of Paths CFA ’4 5 6 ErrExit [a>0] [a≤0] x=1 c=0 i=1[i<1000] [i≥1000] c=c+f(i) i++ [a>0] [a≤0] [x==0] Path to pc= ’ 5 6 [a>0] x=1 c=0 i=1 [i≥1000] [a>0] Trace [a>0] x=1 c=0 i=1 [i≥1000] [a>0] Variables a c i x Cannot execute: this is an unfeasible path To execute must be a>0 (  )

Paths and Slices A path  from pc to pc’ is a sequence of edges of the CFA such that: the destination of one and the source of the next coincide, the source of the first edge is pc and the destination of the last is pc’ A trace is the sequence of operations on the edges of a path A path is feasible if there is some state that can execute it A state s can reach a location pc if there exist a path from pc 0 to pc that can be executed by s A Path Slice  ’ is a subsequence of a path 

Completeness  ’ is a complete slice of  (path from pc 0 to an error location pc  ) if for every s  WP.true.Tr.  ’ either:  there exist a program path  ’’ from pc 0 to pc  such that s can execute  ’’, or  S cannot reach pc out Therefore if there is a complete slice to an error location and it is feasible (therefore executable for some state), we are guaranteed that for each state that can execute the slice there exist an executable path that reach the error location

Soundness A path slice  ’ of  is a sound slice if WP.true.(Tr.  )  WP.true.(Tr.  ’) So a state that can execute the trace of a path can execute the trace if a sound slice of it

Example CFA ’4 5 6 ErrExit [a>0] [a≤0] x=0 c=0 i=1[i<1000] [i≥1000] c=c+f(i) i++ [a>0] [a≤0] [x==0] Slice ’ 5 6 Err [a>0] x=0 c=0 i=1 [i≥1000] [a>0] [x==0] 4 [i<1000] c=c+f(i) i++ Slice ’ 5 6 Err [a>0] x=0 c=0 i=1 [i≥1000] [a>0] [x==0] 4 [i<1000] c=c+f(i) i++ Not Sound slice The path could execute in s={a>0} the slice only in s’={a>0, x=0} Complete and Sound Slice

Path Slice Algorithm Backward traversal of the CFA Keep 2 information  lvalues set L (the set of lives values)  Step location pc s An edge is added to the slice if  It assign one of the lvalues  If there is a branch that can bypass the current step  If there is a path from the current edge to the step edge that assign one of the lvalues

Experimental Results Tested correctens of files handling in real programs (fcron, wuftpd, make, privoxy, ijpeg, openssh, gcc) In average the length of the Slice was 5% of the length of the original trace In case of longer traces the slices where much shorter (0.1%) Examples  Shortest trace 47 operations: output 27 operations (57%)  Longest trace 82,695 operations: output 43 operations (less that 0.1%)

Conclusion Path Slicing is an interesting technique to reduce the size of a counter example An linear algorithm that return a Sound and Complete path slice is provided Implemented in the Blast model checker Experimental results on real programs proved the benefit of that approach Limitations  The implementation use a depth first search for counter examples that returns very long traces  Imprecise model of the heap creates problems in the verification of certain programs  Slow implementation of WrBt and By functions used by the algorithm, don’t scale well