Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Published byMavis Boyd Modified over 9 years ago

Similar presentations

Presentation on theme: "CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE."— Presentation transcript:

1 CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE

2 Acknowledgement C. Cadar, D. Dunbar, D. Engler: KLEE, OSDI’08 Godefroid, Klarlund, Sen: DART, PLDI ‘05 Sen, Markov, Agha: CUTE, FSE’05

3 Three Concerns Path explosion Handling the environment Hard constraints

4 KLEE: Architecture Hybrid between OS for sym proc and interpreter Each Sym proc has a register file, stack, heap, program counter and path condition – register file, stack, heap are expressions here Sym process represented as a state in KLEE

5 KLEE Architecture LLVM bytecode K L E E SYMBOLIC ENVIRONMENT Constraint Solver (STP) x = 3 x = -2 x = 1234 x = 3 C code x  0 x  1234 LLVMLLVM

6 KLEE: Architecture Program is converted to LLVM bytecode KLEE interprets bytecode directly and maps to constraints – w/o approximation – bit level accuracy

7 KLEE: Architecture Before building sym expr, check if operands are concrete – if so, perform them natively! example: %dst = add i32 %src0, %src1

8 KLEE: Architecture Conditional branches: – boolean expr – change instruction pointer whether provably true or false along the current path – if both are feasible then clone states and accordingly change respective instruction pointers

9 KLEE: Architecture Potentially dangerous instructions – act as branches ex. division instruction generates a branch to check div-by- zero if error is generated then constraint falsified and alternated path is explored test case generated to trigger the error and terminates the state. Some dangerous operations: – ld/st – out of bound checks – pointer dereference – assertions, etc.

10 KLEE: Architecture Problem with ld/st – Modeling memory! – if flat byte array then solvers never return – every memory object as a separate solver array essentially segmented memory ignores all other locations not reference by the ld/st

11 KLEE: Architecture Problem with pointers – KLEE clones the state N times at pointer dereference – a pointer can have a large points-to set – in-bounds check for respective points-to object – This solution is expensive – Works for KLEE as their benchmarks had pointers with singleton points-to sets.

12 Compact State Representation Implements copy-on-write at the object level – rather than at the page level Heaps as immutable maps – therefore portions of heap can also be shared among states

13 Query Optimization Queries are NP-complete Expression re-writing: – x + 0 = x – x* 2^n = x<<n – 2*x – x = x

14 Query Optimization Constraint Simplification: – x True ∧ x = 5 propagate equality constraints Implied value concretization – x = 5 makes x concrete and written to memory – subsequent accesses returns cheap constants

15 Query Optimization Constraint Independence – Constraints do not overlap in terms of memory they refer Eg: i 0 Query: i = 20? – remove irrelevant subset of constraints

16 Query Optimization Counterexample Caching – Redundant queries are frequent – simple cache is effective – counterexample cache: maps set of constraints to counter-examples sentinels if there is no solution

17 Query Optimization Counterexample Caching Eg: {i < 10, i = 10} – no solution – If subset has no solution then larger set they appear in has also no solution Eg: {i < 10, j = 8} – If superset has a solution then so does the subset

18 Effectiveness of Optimizations

19 State Scheduling Random path selection – helps avoid starvation when loops creating fork- bombs Coverage-optimized search – heuristics to compute weight of each node min dist to the uncovered node – choose states with higher probability to explore uncovered code Round robin among the first two !

20 Environment Modeling If all arguments concrete, execute natively Otherwise, provide models on symbolic files int fd = open(“t.txt”, O_RDONLY);

21 Concolic Execution Works well on interprocedural bugs, use of library calls

22 Concolic Execution Falls back on concrete values when – Non linear arithmetic – pointers pointing to input values

23 Concolic execution with dynamic data Static alias analysis is required! -- since no way to know whether a->c is overwritten.

24 Nonlinear arithmetic

Download ppt "CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE."

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
KLEE: Effective Testing of Systems Programs

KLEE: Effective Testing of Systems Programs
1 Symbolic Execution Kevin Wallace, CSE504 2010-04-28.

1 Symbolic Execution Kevin Wallace, CSE
A Survey of Approaches for Automated Unit Testing

A Survey of Approaches for Automated Unit Testing
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.

1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.
P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.

P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
Intermediate Code Generation

Intermediate Code Generation
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto

ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

Similar presentations

Ads by Google