Looper: Lightweight Detection of Infinite Loops at Runtime Presenter: M. Amin Alipour Software Design Laboratory

Outline Problem Statement Motivating Example Basic Idea Solution in More Detail

Problem statement Dynamic Detection of Non-Terminating Loops – When a program does not responding if user knows whether it is in an infinite loop or making progress, she can decide to force the program to quit or wait and let it finishes its job.

Example Main() { x = foo(); y = bar(); while (x != 3 && y > 0) { x = (x * x + 2) % 10; y++; } This program will loop forever if foo() returns 6 and bar() returns 1.

Basic Idea Assumption: User Invokes the Looper when the program is unresponsive. Dynamic Instrumentation of running code Concolic Execution of program Basic Invariant Generation Construct non-terminating arguments Checking the argument with SMT solver

Example Main() { x = foo(); y = bar(); while (x != 3 && y > 0) { x = (x * x + 2) % 10; y++; } This program will loop forever if foo() returns 6 and bar() returns 1. while (x != 3 && y > 0) { x = (x * x + 2) % 10; y++; }  Assume Looper starts with x=8 and y=52  The symbolic execution treats variables x and y as symbolic inputs and infers that:  Starting X=8 and y>0, after iteration: x-->6 and y-->y+1 (It abstracts y and concretizes x )  Starting X=6 and y>0, after iteration x-->8 and y-->y+1.  It infers that these iterations follow each other and x will never be 3 and y will be positive, and the loop will run forever.

Mathematizations Assume M 0,c is initial concrete program state model Looper symbolically executes the program in parallel with one full concrete execution. After iteration 1 It produces M 1,Symbolic memory map after 1 st iteration Produces path constraint Φ 1 path constraint of execution path π 1 It tries to prove Φ 1 ==>Φ 1 [M 1 ] is tautology (done by an SMT solver)

General Formula Main() { x = foo(); y = bar(); while (x != 3 && y > 0) { x = (x * x + 2) % 10; y++; } This program will loop forever if foo() returns 6 and bar() returns 1. After iteration k It produces M k,Symbolic memory map after 1 st iteration Produces pah constraint Φ k path constraint of execution path π k It tries to prove Λ i Є [1,k] (Φ i ==>V jЄ [1,k] Φ j [M j ]) is tautology (done by an SMT solver) If it fails to prove after some fixed number it reports cannot conclude

Another example

Step 1 Abstract variable index Attempt Non-termination proof Symbolic Execution X

Step 3-5 Attempt for Non-termination proof fails for these steps, for example: Symbolic Execution X

Step 6 It proves Non-termination! Symbolic Execution results M 1

Programming Model and Concrete Semantics P::= Stmt* Stmt::= [l:] S S::= lhs=e | if p goto l’ | HALT e::= v | c| e op e p::= v comp v

Instrumentation Before InstrumentationAfter Instrumentation Initialization global vars M 0 =M I=0 global vars i =inputNumber= 0; Loop start i=i+1 if(i!=1) { M i = M; if(try_to proof(i)) Report non-termination; Exit; if(i==k) Report “Cannot conclude!” Exit; v=eIf (i==1) {inputNumber = inputNumber+1; initInput(&v, inputNumber);} execute symbolic(&v,“e”); M(v)=e v=e

Instrumentation-cntd InstrumentationAfter Instrumentation if (p) goto l evaluate_predicate(“p”, p); Upon result add p or !p to path constraints if (p) goto l V = new T If (i==1) {inputNumber = inputNumber+1; initInput(&v, inputNumber);} execute symbolic(&v,“ ﬩ ”); V.m=eM(V,M(m))=e;

References. Burnim, J., N. Jalbert, C. Sterigou, and K. Sen. “Looper: Lightweight Detection of Infinite Loops at Runtime ” Proc. 24th IEEE/ACM nternational Conference on Automated Software Engineering, Nov Sen, K., Marinov, D., and Agha, G CUTE: a concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT international Symposium on Foundations of Software Engineering (Lisbon, Portugal, September , 2005).