Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Published byLina Fraser Modified over 10 years ago

Similar presentations

Presentation on theme: "Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani"— Presentation transcript:

1 Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani http://research.microsoft.com/slam/

2 Outline  Boolean Programs and Bebop What? Why? Results Demo  Semantics of Boolean Programs  Technical details of algorithm  Evaluation  Related Work

3 Boolean Programs: What  Model for representing abstractions of imperative programs in C, C#, Java, etc.  Features:  Boolean variables  Control-flow: sequencing, conditionals, looping, GOTOs  Procedures  Call-by-value parameter passing  recursion  Control non-determinism

4 Boolean programsBoolean programs: Why bool x,y; [1] while (true) { [2] if(x == y) { [3]y = !x; } else{ [4]x = !x; [5]y = !y; } [6]if (?) break; } [7] if(x == y) [8]assert (false); Representation of program abstractions, a la Cousots Each boolean variable represents a predicate: (i < j) (*p==i) && ( (int) p == j) (p  T), where T is recursive data type [Graf-Saidi]

5 Bebop - Results  Reachability in boolean programs reduced to context-free language reachability  Symbolic interprocedural dataflow analysis  Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm  Complexity of algorithm is O(E  2 n )  E = size of interprocedural control flow graph  n = max. number of variables in the scope of any label

6 Bebop - Results  Admits control flow + variables Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.] Analyzes procedures separately  exploits procedural abstraction + locality of variable scopes  Uses hybrid representation  Explicit representation of control flow graph, as in a compiler  Implicit representation of reachable states via BDDs  Generates hierarchical trace

7 Bebop Demo!

8 Outline  Boolean Programs and Bebop  Semantics of Boolean Programs “stackless” semantics using context-free grammar  Technical details of algorithm  Evaluation  Related Work

9 Stackless Semantics  State  = p = program counter  = valuation to variables in scope at p No stack!   (B): finite alphabet over boolean program B Call (with return to p),  a valuation to Locals(p) Return to p,  a valuation to Locals(p)

10 State transition -  ->  =  (x) =  (x), x in Locals(c)  =  ’(x) =  (x), x in Locals(c)  ’(g) =  (g), g a global

11 Trace Semantics  Context-free grammar L(B) constrains allowable traces M -> M M -> M M M ->    0 -  1 ->  1 -  2 -> …  m-1 -  m ->  m is a trajectory of B iff  i -  i+1 ->  i+1 is a state transition, for all i  1  2 …  m  L(B)

12 Outline  Boolean Programs and Bebop  Semantics of Boolean Programs  Technical details of reachability algorithm Binary Decision Diagrams (BDDs) Path edges Summary edges Example  Preliminary Evaluation  SLAM Project

13 Binary Decision Diagrams  Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)  F(x,y,z) = (x=y) x y z 11 z 00 y z 00 z 11

14 Hash Consing + Variable Elimination x yy z 0 z 1 x yy 0 1 x y z 11 z 00 y z 00 z 11

15 Path Edges   PE(p), iff Exists initialized trajectory ending in, where e = entry(Proc(p)) Exists trajectory from to  PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p) Can be represented with a BDD!

16 Representing Path Edges with BDDs  Example PE(p) for boolean variables x,y and z: PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)  BDDs also used to represent transfer functions for statements Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

17 decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=0^a1=a1’=0^a2=a2’=1g=0^g’=1^a1=a1’=0^a2=a2’=1 Join(S,T) = { |  S,  T }

18 Summary Edges = Lift(, Pr)   1 (x) =  2 (x), x in Locals(c)  Locals don’t change   1 (g) =  d (g) and  r (g) =  2 (g), g global  Propagation of global state c: Pr() d: Proc Pr() e r <d,r><d,r> <1,2><1,2>

19 decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end g=0^g’=1^a1=a1’=0^a2=a2’=1 g=0^g’=1^a1=a1’=1^a2=a2’=0g=0^g’=1^h=h’=1

20 decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=0^g’=1^h=h’=1 g’=h’=1 g=g’=a1=a1’=a2=a2’=1

21 decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 |a1=a1’=0^a2=a2’=1 g=g’=1^a1=a1’=0^a2=a2’=1

22 decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end g'=0^h'=1 |g'=1^h'=0 g=g’=1^a1=a1’=0^a2=a2’=1g=g’=1^a1=a1’=1^a2=a2’=0g=g’=1^h=h’=0 g'=1^h'=0 g=g’=1^a1=a1’=1^a2=a2’=0

23 Worklist Algorithm  while PE(v) has changed, for some v Determine if any new path edges can be generated New path edge comes from  Existing path edge + transfer function  Existing path edge + summary edge (transfer function for procedure calls) New summary edges generated from path edges that reach exit vertex

24 Generating Error Traces  Partition reachable states into “rings” A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R  Hierarchical generation of error trace Skip over or descend into called procedures

25 Outline  Boolean Programs and Bebop  Semantics of Boolean Programs  Technical details of algorithm  Preliminary Evaluation Linear behavior if # vars in scope remains constant Self application of Bebop  Related Work

26 decl g; void main() begin level1(); if(!g) then reach: skip; else skip; fi end void level () begin decl a,b,c; if (g) then while(!a|!b|!c) do if (!a) then a := 1; elsif (!b) then a,b := 0,1; elsif (!c) then a,b,c := 0,0,1; else skip; fi od else ; fi g := !g; end

27

28 Application: Analysis Validation  Live variable analysis (LVA) A variable x is live at s if there is a path from s to a use of x (with no intervening def of x) Used to optimize bebop Quantify out variables as soon as they become dead  How to check correctness of LVA? Analysis validation Create a boolean program to check results of LVA Model check boolean program (w/out LVA)

29 Analysis Validation  Output of LVA: { (s,x) | x is dead at s }  Boolean program Two variables per original program var x: x_dead (initially 0) x_defined (initially 0) For each fact (s,x): x_dead, x_defined := 1, 0; For each def of x: x_defined := 1; For each use of x if (x_dead && !x_defined) LVAError();  Query: is LVAError reachable?

30 Results  Found subtle error in implementation of LVA  Was able to show colleague that there was another error, in his code  Analysis validation now part of regression test suite

31 Related Work  Pushdown Automata (PDA) decidability results  [Hopcroft-Ullman]  Model checking PDAs  [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon]  Model checking Hierarchical State Machines  [Alur, Grosu]  Interprocedural dataflow analysis  [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]

32 Related Work  Reps-Horwitz-Sagiv (RHS) algorithm Handles IFDS problems Interprocedural Finite domain D Distributive dataflow functions (MOP=MFP) Subsets of D Dataflow as CFL reachability over “exploded graph”  Our results RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity Reformulated algorithm is easily lifted to powersets of D using BDDs Arbitrary dataflow functions Path-sensitive

33 Summary  Bebop: a model checker for boolean programs Based on interprocedural dataflow analysis using BDDs Exploits procedural abstraction Admits many traditional compiler optimizations Hierarchical trace generation + DHTML user interface Release at end of year  SLAM project Iteratively refine boolean program models of C programs Use path simulation to discover relevant predicates (simcl) Automated predicate abstraction (c2bp)

34 Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/

Download ppt "Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Course Outline Traditional Static Program Analysis Software Testing

Course Outline Traditional Static Program Analysis Software Testing
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Programming Languages and Paradigms

Programming Languages and Paradigms
Interprocedural Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12.

Interprocedural Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Similar presentations

Ads by Google