Presentation is loading. Please wait.

Presentation is loading. Please wait.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley."— Presentation transcript:

1 Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley

2 a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview

3 a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview Random testing needs to execute all 4 paths to verify assertions 

4 a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview w 1 = 5 i = 3, a = 0, b = 3 i = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 a join = w 1  a false + ( 1 – w 1 )  a true

5 a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * Quick Overview w 1 = 5 i = 3, a = 0, b = 3 i = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 w 2 = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = -1 i = 3, a = -4, b = 7, c = 23 

6 Random Interpretation Random Testing dynamically testing the program using randomly generated input Pros: Simple implementation Cons: Limited code coverage Abstract Interpretation statically analyzing selected properties of the program using symbolic execution Pros: Static analysis Cons: Conservative / Complicated

7 Random Interpretation statically analyzing selected properties of the program using symbolic random states Pros: Static analysis, Simple implementation Cons: Probabilistically sound Small number of runs guarantee a high probability of soundness

8 Intra-procedural Framework Program Model: State captured as polynomials, which are linear in program variables Goal: To detect equivalences between polynomials c := b – ac := 2a + b w = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = -1 i = 3, a = -4, b = 7, c = 23

9 Intra-procedural Framework Algorithm 1.Choose random values for input variables 2.Execute assignments  Use property-specific Eval() to abstract program state as polynomials 3.Execute both branches of conditionals  Use Affine Join to combine both program states at join points 4.Compare polynomials to decide equality

10 Intra-procedural Framework Design of Eval()s  Property (abstraction) specific  Linear arithmetic e := x | e 1 § e 2 | c  e P(e) := e  Un-interpreted functions e := x | F( e ) P( x ) := x P( F( e ) ) := c 1  P(e) + c 2  Completeness and Soundness  P(e 1 ) = P(e 2 ) iff e 1 = e 2  Linearity  P(e) is linear in program variables

11 Intra-procedural Framework Affine Join  To combine (branched) program states at join points   =  w (  1,  2 ) a := 0 b := i a := i – 2 b := 2 true false * w = 5 i = 3, a = 0, b = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7  11 22   ( x ) := w   1 ( x ) + (1-w)   2 ( x )

12 Intra-procedural Framework Affine Join  Completeness If polynomials P 1 and P 2 are equivalent in states  1 and  2, Then they are also equivalent in state    Soundness If polynomials P 1 and P 2 are not equivalent in either state  1 and  2, Then it is unlikely that they are equivalent in state   Generate a small number t of runs

13 Inter-Procedural Extensions 1.Maintain symbolic state summaries 2.Generate multiple fresh runs

14 Inter-Procedural Extensions a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * w 1 = 5 i = 3, a = 0, b = 3 i = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 w 2 = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = -1 i = 3, a = -4, b = 7, c = 23 

15 Inter-Procedural Extensions a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * w 1 = 5 i = 2, a = 0, b = 2 i = 3 i = 2, a = 0, b = 2 w 2 = 2 i = 2, a = 0, b = 2, c = 2  i = 2

16 Inter-Procedural Extensions a := 0 b := i a := i – 2 b := 2 c := b – a assert (a + b = i) assert (c = a + i) c := 2a + b true false true * * w 1 = 5 a = 0, b = i i a = i - 2, b = 2 a = 8 – 4i, b = 5i - 8 w 2 = 2 a = 8 – 4i, b = 5i – 8,c = 9i - 16 a = 8 – 4i, b = 5i – 8, c = 8 – 3i a = 8 – 4i, b = 5i – 8, c = 21i - 40 1. Maintain symbolic state summaries

17 Inter-Procedural Extensions u := i + 1u := 3 true false * w = 5 u = i + 1 i u = 3 u = 5i - 7 return u x := A(2) y := A(1) z := A(1) assert (x = 3) assert (y = z) Procedure A Procedure B x = 3 y = -2 z = -2 Unsound way of summarizing multiple calls

18 Inter-Procedural Extensions u := i + 1u := 3 true false * w 1 = 5 u = i + 1 i u = 3 u = 7 – 2i return u x := A(2) y := A(1) z := A(1) assert (x = 3) assert (y = z) Procedure A Procedure B x =  7 (5i – 7, 7 – 2i) y =  3 (5i – 7, 7 – 2i) z =  5 (5i – 7, 7 – 2i) 2. Generate multiple fresh runs u = i + 1 u = 3 w 2 = -2 u = 5i - 7 x =  6 (5i – 7, 7 – 2i) y =  0 (5i – 7, 7 – 2i) z =  1 (5i – 7, 7 – 2i)

Download ppt "Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.

A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.

Program Verification using Probabilistic Techniques Sumit Gulwani Microsoft Research Invited Talk: VSTTE Workshop August 2006 Joint work with George Necula.
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.

Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
50.530: Software Engineering

50.530: Software Engineering
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.

SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

Similar presentations

Ads by Google