Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv.

Published byPhoebe Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv."— Presentation transcript:

1 1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv

2 2Motivation Traditionally, Find errors using testing Prove absence of errors using static analysis –abstract interpretation –theorem proving Recently, finding errors by a combination of static and dynamic analyses Our method: leverage on existing tests to prove absence of errors Static Analysis Testing 1. 2.

3 3 Main Result A new method for static analysis –leverages on concrete executions –computes program invariants –sound –complete with respect to abstract interpreter –terminates

4 4 The idea test set executionMonitor existing test set execution AbstractionAbstraction to generalize from a test set Theorem proverTheorem prover to check soundness

5 5 T’ abstraction  program P Execute Abstract CTCT Check invariant(A T,P) ATAT Check safety properties yes potential error Fabricate tests test set T no verified The Core Algorithm

6 6 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 4) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } [pc, x, y, px ] Concrete State pc, x<5, px== NULL Abstraction predicates: foo(2,0)foo(6,0)foo(11,0)Test set T :

7 7 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 4) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } foo(3,0)foo(2,0)foo(6,0)foo(11,0) pc, x<5, px== NULL Abstraction predicates: (A,t,t) (B,t,t) (C,t,t) (D,t,f) (F,t,f) (G,t,f) (H,t,f) (A,f,t) (B,f,t) (D,f,t) (F,f,t) (H,f,t) Check invariant(A T,foo) Test set T : [B,4,0, NULL ] [D,4,0, NULL ] Fabricated States

8 8 b d A,t,t C,t,t D,t,f F,t,f G,t,f H,t,f F,t,t E,t,f G,t,t F,f,f H,f,f A,f,t B,f,t D,f,t F,f,t H,f,t foo(2,0)foo(11,0) foo(3,0) B,t,t D,t,t foo(6,0) void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 4) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } Finding a bug [pc, x, y, px ] (pc, x<5, px== NULL ) Concrete State Abstract State

9 9 T’ abstraction  program P Execute Abstract CTCT Check invariant(A T,P) ATAT Check safety properties yes potential error Fabricate tests test set T no verified The Core Algorithm

10 10 What does it require? Execution from fabricate states –fault injection or debugger Check invariants using a theorem prover Fabricate states using counter-examples from the theorem prover

11 11 Using Theorem Provers Calls to a theorem prover –can be expensive –timeout potentially causes loss of precision –not always generate concrete counter-example Our method is oriented towards finding a proof rather than detecting errors Checking invariants requires less theorem prover calls than computing invariants

12 12 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } foo(3,0)foo(2,0)foo(6,0)foo(11,0) pc, x<5, px== NULL Abstraction predicates: Test set T : Check invariant(A T,foo) [D,4,0,&y ] [E,4,0,&y ]

13 13 e’ A,t,t B,t,t C,t,t F,t,f G,t,f H,t,f F,f,f H,f,f A,f,t B,f,t D,f,t F,f,t H,f,t fixed_foo(2,0)fixed_foo(11,0) d’ D,t,f E,t,f fixed_foo(6,0) pc, x<5, px==NULL void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } Finding a proof

14 14 Bisimulation – every error is real Weak reachability – every abstract state represents a feasible concrete state Simulation –error in concrete system is error in abstract system –avoids refinements unnecessary to prove the property (our method) Checking Invariants BisimulationWeak reachabilitySimulation less precise more precise (our method)

15 15 2-Process Bakery Proof by Bisimulation –results from [C. Pasareanu et. al. - CAV’05] –5 refinement steps Our method –invariant with 17 abstract states –no refinement

16 16 A,A,t B,A,t A,A,f C,A,t A,B,t B,B,t D,A,t C,A,f C,B,t D,B,t C,C,t D,C,t A,C,t B,C,t C,C,f C,D,f C,B,f 2-Process Bakery An invariant with 17 abstract states

17 17 void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } foo(3,0)foo(2,0)foo(6,0)foo(11,0) pc, x<10, px== NULL Abstraction predicates: Test set T :

18 18 A,t,t B,t,t C,t,t D,t,f F,t,f G,t,f H,t,f E,t,f F,f,f H,f,f H,t,t fixed_foo(2,0) fixed_foo(6,0) F,t,t G,t,t f’ D,t,t g’ A,f,t B,f,t D,f,t F,f,t H,f,t fixed_foo(11,0) pc, x<10, px==NULL void foo(int x, int y){ int *px = NULL; A: x = x + 1; B: if (x < 5) C: px = &x; D: if (px == &y) E: x = x + 1; F: if (x < 5) G: *px = *px + 1; H: return; } Finding a false error

19 19 abstraction  T’ program P Execute Abstract CTCT Check invariant(A T,P) ATAT Check safety properties yes potential error Fabricate tests test set T no verified The Algorithm classify errors false alarm refine abstraction real error abstraction  ’

20 20 Abstract Interpretation Potentially more efficient –execution and abstraction of concrete states is fast –avoid abstract transformers for parametric domains –no static abstract transition system –one concrete state can “discover” many abstract states Potentially more precise –the result is the least fixpoint w.r.t.  (if all theorem prover calls were conclusive)

21 21 Hybrid Approach It is sound to stop the concrete execution at any moment and check invariant(A,P) Alternate between concrete execution and abstract interpretation Tune the performance of the analysis execution time vs. theorem proving time –timeout new abstract state not covered – while (x < 10 6 ) x++;

22 22 a0a0...

23 23 Further Research Directions Robust implementation and evaluation –based on a SAT solver Fabricated states –cover more abstract states –turn fabricated traces into concrete traces –guide refinement Benefits for testing –new notion of coverage related to errors –eliminate redundant tests –infer procedures pre- and post-conditions –unit tests generation

24 24 The Most Related Work [T.Reps et al. – VMCAI’04 ] Best abstract transformers for statements [T.Ball – FMCO’04] Weak reachability [D.Lee, M.Yannakakis – STOC’92] [C. Pasareanu et. al. - CAV’05] Bisimulation

25 25Summary A new method for static analysis –computing invariants –leverage existing test suite –Abstraction to generalize from a test –Theorem prover to check soundness –Model generator to create new tests Potentially faster and more precise than abstract interpretation Explain abstract interpretation in terms of concrete execution and abstraction

Download ppt "1 Testing, Abstraction, Theorem Proving: Better Together! Greta Yorsh joint work with Thomas Ball and Mooly Sagiv."

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Abstraction for Falsification Thomas Ball Orna Kupferman Greta Yorsh Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University,

Abstraction for Falsification Thomas Ball Orna Kupferman Greta Yorsh Microsoft Research, Redmond, US Hebrew University, Jerusalem, Israel Tel Aviv University,
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Similar presentations

Ads by Google