Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.

Slides:

Advertisements

Similar presentations

Artificial Intelligence Presentation

Advertisements

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Siddharth Srivastava, Neil Immerman, Shlomo Zilberstein University of Massachusetts Amherst.

Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

CPSC 322, Lecture 9Slide 1 Search: Advanced Topics Computer Science cpsc322, Lecture 9 (Textbook Chpt 3.6) January, 23, 2009.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

Beating Brute Force Search for Formula SAT and QBF SAT Rahul Santhanam University of Edinburgh.

More on Recursive Methods KFUPM- ICS Data Structures.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

Design and Analysis of Algorithms

Introduction to Code Generation Mooly Sagiv html:// Chapter 4.

DAST, Spring © L. Joskowicz 1 Data Structures – LECTURE 1 Introduction Motivation: algorithms and abstract data types Easy problems, hard problems.

CS 536 Spring Intermediate Code. Local Optimizations. Lecture 22.

01/27/2005 Combinationality of cyclic definitions EECS 290A – Spring 2005 UC Berkeley.

Analysis of Algorithms 7/2/2015CS202 - Fundamentals of Computer Science II1.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements "Control" is the general study of the semantics of execution.

DAST, Spring © L. Joskowicz 1 Data Structures – LECTURE 1 Introduction Motivation: algorithms and abstract data types Easy problems, hard problems.

Ch. 8 & 9 – Linear Sorting and Order Statistics What do you trade for speed?

1 Introduction to Parsing Lecture 5. 2 Outline Regular languages revisited Parser overview Context-free grammars (CFG’s) Derivations.

CS32310 MATRICES 1. Vector vs Matrix transformation formulae Geometric reasoning allowed us to derive vector expressions for the various transformation.

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

1/20 Symbolic Execution and Program Testing Charngki PSWLAB Symbolic Execution and Program Testing James C.King IBM Thomas J.Watson Research Center.

Stacks & Recursion. Stack pushpop LIFO list - only top element is visible top.

1 Chapter 24 Developing Efficient Algorithms. 2 Executing Time Suppose two algorithms perform the same task such as search (linear search vs. binary search)

CS-2852 Data Structures LECTURE 12B Andrew J. Wozniewicz Image copyright © 2010 andyjphoto.com.

CSE Winter 2008 Introduction to Program Verification January 29 how wang works.

Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.

An Introduction to Graph Rewriting Thomas Huining Feng CHESS, UC Berkeley May.

CSC 211 Data Structures Lecture 13

CSC 221: Recursion. Recursion: Definition Function that solves a problem by relying on itself to compute the correct solution for a smaller version of.

CS 361 – Chapters 8-9 Sorting algorithms –Selection, insertion, bubble, “swap” –Merge, quick, stooge –Counting, bucket, radix How to select the n-th largest/smallest.

Lecture 3: Uninformed Search

Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.

Lecture 2COMPSCI AP G Gimel'farb1 Estimated Time to Sum Subarrays Ignore data initialisation “Brute-force” summing with two nested loops: T(n) 

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.

 Control Flow statements ◦ Selection statements ◦ Iteration statements ◦ Jump statements.

Recursion A recursive definition is one which uses the word or concept being defined in the definition itself Example: “A computer is a machine.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.

A Introduction to Computing II Lecture 5: Complexity of Algorithms Fall Session 2000.

Solving problems by searching A I C h a p t e r 3.

Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

CMPT 120 Topic: Searching – Part 2 and Intro to Time Complexity (Algorithm Analysis)

Welcome to Recursion! Say what?!? Recursion is… the process of solving large problems by simplifying them into smaller ones. similar to processing using.

Uniformed Search (cont.) Computer Science cpsc322, Lecture 6

More on Recursive Methods

Algorithm Analysis CSE 2011 Winter September 2018.

Building Java Programs

Applied Discrete Mathematics Week 6: Computation

Elided to examples only

Building Java Programs

ICT Programming Lesson 3:

Model Transformation with the Ptera Controller

Building Java Programs

Example (C code) int double(int x) { return 2 * x; }

ECE 103 Engineering Programming Chapter 18 Iteration

CUTE: A Concolic Unit Testing Engine for C

Sum this up for me Let’s write a method to calculate the sum from 1 to some n public static int sum1(int n) { int sum = 0; for (int i = 1; i

Presentation transcript:

Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS Class Project

Motivating Example 1 JCute finds 2 4 =16 paths. Overall failure constraint is [failure] (after simplification). Can we reduce the number of paths? public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op1) { System.out.println("Operation 1"); } if (op2) { System.out.println("Operation 2"); } if (op3) { System.out.println("Operation 3"); int fail; } op1 op2 op3 fail Parameters are generated by JCute. 2 if (failure) { System.out.println(“FAILURE”); return; } else { return; }

Motivating Example 2 JCute never halts. – An unbounded number of paths exist, because i is arbitrary. Can we handle this problem? Yes. Can we handle this problem within 10 runs? Yes. public class B { void f(int i, int j) { for (int k = 0; k < i; k++) { if (i == j) int fail; } Raise a failing signal when [i == j]. Equivalent == j”) int fail; 3

Overview Examples exhibit 2 problems: 1)Exponential paths to explore. 2)Unbounded paths to explore before a loop constraint is found. Assumption: Free of side effect, deterministic Java programs.  To solve problem 1: – For a program with n = n 1 + n 2 + … + n k sequential tests o split the program into k trunks o reduce the complexity to 2 n n 2 + … + 2 n k (best case) – Let n 1 = n 2 = … = n k = 1 to achieve linear growth.  To solve problem 2: – Partially execute the loop. – Compute a fixpoint of constraints. 4

Solving Problem 1 Examples exhibit 2 problems: 1)Exponential paths to explore. 2)Unbounded paths to explore before a loop constraint is found. Assumption: Free of side effect, deterministic Java programs.  To solve problem 1: – For a program with n = n 1 + n 2 + … + n k sequential tests o split the program into k trunks o reduce the complexity to 2 n n 2 + … + 2 n k (best case) – Let n 1 = n 2 = … = n k = 1 to achieve linear growth.  To solve problem 2: – Partially execute the loop. – Compute a fixpoint of constraints. 5

Partition the Program 1 st execution: the last test of the program. 2 branches; 4 paths. Constraint: [op3 && failure || !op3 && failure] ⇔ [failure] public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op1) { System.out.println("Operation 1"); } if (op2) { System.out.println("Operation 2"); } if (op3) { System.out.println("Operation 3"); int fail; } public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op3) { System.out.println("Operation 3"); int fail; } Seg. 3 Seg. 2 Seg. 1 6

Rewrite the Program public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op1) { System.out.println("Operation 1"); } if (op2) { System.out.println("Operation 2"); } if (op3) { System.out.println("Operation 3"); int fail; } public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op1) { System.out.println("Operation 1"); } if (op2) { System.out.println("Operation 2"); int fail; } Rewrite 7

Segment the Program Again 2 nd execution: the last test of the program. 2 branches; 4 paths. Constraint: [op2 && failure || !op2 && failure] ⇔ [failure] public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op1) { System.out.println("Operation 1"); } if (op2) { System.out.println("Operation 2"); int fail; } public class A { void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op2) { System.out.println("Operation 3"); int fail; } Seg. 3 Seg. 2 8

Assessment Repeat this process until head of the program is reached. A big gain? 9 op1 op2 op3 fail op3 fail op2 fail op1 fail Total # of paths: = 12Total # of paths: 2 4 = 16

Assessment 10 Total # of paths: 8*2 + 8*2 = 32 Total # of paths: 8 * 8 * 2 = 128

Solving Problem 2 Examples exhibit 2 problems: 1)Exponential paths to explore. 2)Unbounded paths to explore before a loop constraint is found. Assumption: Free of side effect, deterministic Java programs.  To solve problem 1: – For a program with n = n 1 + n 2 + … + n k sequential tests o split the program into k trunks o reduce the complexity to 2 n n 2 + … + 2 n k (best case) – Let n 1 = n 2 = … = n k = 1 to achieve linear growth.  To solve problem 2: – Partially execute the loop. – Compute a fixpoint of constraints. 11

Bounded Loop Execution First, identify the loop. 12 public class B { void f(int i, int j) { for (int k = 0; k < i; k++) { if (i == j) int fail; } public class B { void f(int i, int j) { int k; k = 0; l1: if (k < i) { if (i == j) int fail; } k++; goto l1; }

Bounded Loop Execution Assume that the loop exits in n = 3 iterations. Partition the program into 4 segments. 13 public class B { void f(int i, int j) { int k; k = 0; l1: if (k < i) { if (i == j) int fail; } k++; goto l1; } k<i i==j k<i i==j k<i i==j … k<i … NY NY i==j k<i i==j k<i i==j NY NY Seg. 1 Seg. 2 Seg. 3 Seg. 4

Run the tree from the tail. Repeat computing the failure constraint. Test for fixpoint. Reduce the loop into a simple branch. Bounded Loop Execution 14 k<i i==j k<i i==j k<i i==j NY NY Test 1: C1 k<i i==j k<i i==j C1 NY NY Test 2: C2 Test 3: C3 k<i i==j C2 NY NY C3 NY

Bounded Loop Execution 1 st execution: 3 paths. Constraint: [k <= i-1 && i == j] 15 public class B { void f(int i, int j) { int k; k = 0; l1: if (k < i) { if (i == j) int fail; } k++; goto l1; } Seg public class B { void f(int i, int j) { int k = JCute.input.Integer(); if (k < i) { if (i == j) int fail; } k++; }

Bounded Loop Execution Analyze 1 more iteration. Re-execute: 4 paths. Constraint: [k <= i-1 && i == j] (fixpoint) 16 public class B { void f(int i, int j) { int k; k = 0; l1: if (k < i) { if (i == j) int fail; } k++; goto l1; } Seg public class B { void f(int i, int j) { int k = JCute.input.Integer(); if (k < i) { if (i == j) int fail; } k++; if (k < i) { if (i == j) int fail; } k++; } public class B { void f(int i, int j) { int k = JCute.input.Integer(); if (k < i) { if (i == j) int fail; } <= i-1 && i == j”) int fail; }

Bounded Loop Execution Substitute the whole loop with the fixpoint constraint. Execute the program: 3 paths. Constraint: [i >= 1 && i == j] Total # of paths: = public class B { void f(int i, int j) { int k; k = 0; l1: if (k < i) { if (i == j) int fail; } k++; goto l1; } Seg public class B { void f(int i, int j) { int k; k = <= i-1 && i == j”) int fail; }

Demo: Eclipse Plugin 18

Conclusion: Advantage and Drawback Advantages: 1)Greatly reduce the number of paths in some cases. 2)Derive constraints for unbounded loops. Limitations 1)Need transformation and compilation every time you want to simplify the program with the newly derived constraints. 2)Advantage 1 is lost if constraints are not (cannot be) simplified. 19 void f(boolean op1, boolean op2, boolean op3, boolean failure) { if (op1) { System.out.println("Operation 1"); } if (op2) { System.out.println("Operation 2"); } if (op3) { System.out.println("Operation 3"); int fail; } [op3 && failure || !op3 && failure] (4 paths) [op2 && op3 && failure || op2 && !op3 && failure || !op2 && op3 && failure || !op2 && !op3 && failure] (8 paths) [op1 && op2 && op3 && failure || op1 && op2 && !op3 && failure ||...] (16 paths)