Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa.

Published byNeil Benson Modified over 8 years ago

Similar presentations

Presentation on theme: "Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa."— Presentation transcript:

1 Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa

2 # SAT solutions?SAT or UNSAT? And Some solutions CodeHunt is built onModel Counting Can we use this for a Progress Bar?

3 In a perfect world… only linear integer constraints and only uniform distributions

4 void test(int x, int y) { if (y == x*10) S0; else S1; if (x > 3 && y > 10) S2; else S3; } Symbolic Execution [ Y=X*10 ] S0 [ X>3 & 10<Y=X*10] S2 [ true ] test (X,Y) [ Y!=X*10 & !(X>3 & Y>10) ] S3 [ Y!=X*10 ] S1 [ Y=X*10 & !(X>3 & Y>10) ] S3 [ X>3 & 10<Y!=X*10] S2 Test(1,10) reaches S0,S3 Test(0,1) reaches S1,S3 Test(4,11) reaches S1,S2

5

6 void test(int x, int y: 0..99) { if (y == x*10) S0; else S1; if (x > 3 && y > 10) S2; else S3; } Almost Rivers [ Y=X*10 ] [ Y!=X*10 ] [ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10][ Y!=X*10 & !(X>3 & Y>10) ] [ true ] [ Y=X*10 & !(X>3 & Y>10) ] y=10x x>3 & y>10 1 243 Which of 1, 2, 3 or 4 is the most likely?

7 void test(int x, int y: 0..99) { if (y == x*10) S0; else S1; if (x > 3 && y > 10) S2; else S3; } Rivers [ Y=X*10 ] [ Y!=X*10 ] [ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10][ Y!=X*10 & !(X>3 & Y>10) ] [ true ] [ Y=X*10 & !(X>3 & Y>10) ] y=10x x>3 & y>10

8 LattE Model Counter http://www.math.ucdavis.edu/~latte/ Count solutions for conjunction of Linear Inequalities

9 void test(int x, int y: 0..99) { if (y == x*10) S0; else S1; if (x > 3 && y > 10) S2; else S3; } Rivers of Values [ Y=X*10 ][ Y!=X*10 ] [ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10][ Y!=X*10 & !(X>3 & Y>10) ] [ true ] [ Y=X*10 & !(X>3 & Y>10) ] y=10x x>3 & y>10 10 4 9990 8538 10 64 1452

10 [ Y=X*10 ] [ Y!=X*10 ] [ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10] [ Y!=X*10 & !(X>3 & Y>10) ] [ true ] [ Y=X*10 & !(X>3 & Y>10) ] y=10x x>3 & y>10 10 4 9990 8538 10 64 1452 Program Understanding

11 [ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10] [ Y!=X*10 & !(X>3 & Y>10) ] [ Y=X*10 & !(X>3 & Y>10) ] y=10x x>3 & y>10 1 0.999 0.855 0.001 0.6 0.4 0.145 Probabilities 0.0006 0.00040.8538 0.1452

12 [ X>3 & 10<Y=X*10] [ X>3 & 10<Y!=X*10] [ Y!=X*10 & !(X>3 & Y>10) ] [ Y=X*10 & !(X>3 & Y>10) ] y=10x x>3 & y>10 1 0.999 0.855 0.001 0.6 0.4 0.145 Reliability 0.0006 0.00040.8538 0.1452 0.9996 Reliable

13 Can you add a progress bar? How wrong is the program? Which correct program is better?

14 Triangle Classification 2 Correct versions 2 Buggy versions – One created ourselves accidentally Small typo >= instead of <= – One from a student coding exercise Missed one condition

15 public static int classify(int i, int j, int k) { if ((i <= 0) || (j <= 0) || (k <= 0)) return 4; int type = 0; if (i == j) type = type + 1; if (i == k) type = type + 2; if (j == k) type = type + 3; if (type == 0) { // Confirm it is a legal triangle before declaring it to be scalene. if ((i + j <= k) || (j + k <= i) || (i + k <= j)) type = 4; else type = 1; return type; } // Confirm it is a legal triangle before declaring it to be isosceles or // equilateral. if (type > 3) type = 3; else if ((type == 1) && (i + j > k)) type = 2; else if ((type == 2) && (i + k > j)) type = 2; else if ((type == 3) && (j + k > i)) type = 2; else type = 4; return type; } Correct1

16 public static int classify(int i, int j, int k) { if ((i <= 0) || (j <= 0) || (k <= 0)) return 4; int type = 0; if (i == j) type = type + 1; if (i == k) type = type + 2; if (j == k) type = type + 3; if (type == 0) { // Confirm it is a legal triangle before declaring it to be scalene. if ((i + j = j)) type = 4; else type = 1; return type; } // Confirm it is a legal triangle before declaring it to be isosceles or // equilateral. if (type > 3) type = 3; else if ((type == 1) && (i + j > k)) type = 2; else if ((type == 2) && (i + k > j)) type = 2; else if ((type == 3) && (j + k > i)) type = 2; else type = 4; return type; } Buggy1

17 Correct2 public static int classify(int a, int b, int c) { if (a <= 0 || b <= 0 || c <= 0) return 4; if (! (a > c - b && a > b - c && b > a - c)) return 4; if (a == b && b == c) return 3; if (a == b || b == c || a == c) return 2; return 1; }

18 Buggy2 public static int classify(int a, int b, int c) { if ((a <= 0) || (b <= 0) || (c <= 0)) return 4; if ((a <= c - b) || (a<= b - c) || (b<= a - c)) return 4; if (a == b && b == c) return 3; if (((a == b) && (b != c)) || ((a == c) && (a != b) && ((b == c) && (b != a)))) return 2; return 1; }

19 Which of Correct1 or Correct2 is “better”? public static int classify(int i, int j, int k) { if ((i <= 0) || (j <= 0) || (k <= 0)) return 4; int type = 0; if (i == j) type = type + 1; if (i == k) type = type + 2; if (j == k) type = type + 3; if (type == 0) { if ((i + j <= k) || (j + k <= i) || (i + k <= j)) type = 4; else type = 1; return type; } if (type > 3) type = 3; else if ((type == 1) && (i + j > k)) type = 2; else if ((type == 2) && (i + k > j)) type = 2; else if ((type == 3) && (j + k > i)) type = 2; else type = 4; return type; } public static int classify(int a, int b, int c) { if (a <= 0 || b <= 0 || c <= 0) return 4; if (! (a > c - b && a > b - c && b > a - c)) return 4; if (a == b && b == c) return 3; if (a == b || b == c || a == c) return 2; return 1; }

20 463344(k+i>j)&&((k+j)>i)&&(j+i)>k)&&(j!=k)&&(i!=k)&&(i!=j)&&(k>0)&&(j>0)&&(i>0) 159250 (k+i i)&&(j+i>k)&&(j!=k)&&(i!=k)&&(i!=j)&&(k>0)&&(j>0)&&(i>0) 159250 (k+j k)&&(j!=k)&&(i!=k)&&(i!=j)&&(k>0)&&(j>0)&&(i>0) 159250 (j+i 0)&&(j>0)&&(i>0) 10000 (i<=0) 9900 (j 0) 9801 (k 0)&&(i>0) 7252 (k+j>i)&&(j==k))&&(i!=k)&&(i!=j)&&(k>0)&&(j>0)&&(i>0) 7252 (j+i>k)&&(i!=k)&&(i==j)&&(k>0)&&(j>0)&&(i>0) 7252 (k+i>j)&&(i==k)&&(i!=j)&&(k>0)&&(j>0)&&(i>0) 2450 (k+j 0)&&(j>0))&&(i>0) 2450 (j+i 0)&&(j>0)&&(i>0) 2450 (k+i 0)&&(j>0)&&(i>0) 99 (i==k)&&(i==j)&&(k>0)&&(j>0)&&(i>0) Correct1 All Partitions with sizes

21 463344(a!=c)&&(b!=c)&&a!=b&&b>a-c&&(a>(b-c)&&(a>(c-b)&&(c>0)&&(b>0)&&(a>0) 161700 b (b-c)))&&(a>(c-b)))&&(c>0))&&(b>0))&&(a>0) 161700 (a (c-b)))&&(c>0))&&(b>0))&&(a>0) 161700 (((a 0))&&(b>0))&&(a>0) 10000 (a<=0) 9900 (b 0) 9801 (c 0)&&(a>0) 7252 a==c&&(b!=c)&&(a!=b))&&b>a-c&&a>b-c&&a>c-b&&c>0&&b>0&&(a>0) 7252 b!=c&&a==b&&(b>(a-c)))&&(a>(b-c)))&&(a>(c-b)))&&(c>0))&&(b>0))&&(a>0) 7252 b==c&&a!=b&&(b>(a-c)))&&(a>(b-c)))&&(a>(c-b)))&&(c>0))&&(b>0))&&(a>0) 99 (i==k)&&(i==j)&&(k>0)&&(j>0)&&(i>0) Correct2 All Partitions with sizes Correct2 is “better” it has less paths dealing with the Illegal Triangle case

22 public static void check(int a, int b, int c) { int test = classifyBuggy1(a, b, c); int oracle = classifyCorrect1(a, b, c); assert (test == oracle); } Test harness Record path conditions when assertion fails and count their sizes

23 Counting size of failing partitions Correct vs Buggy1 2 failing paths: 463344 and 154448 Correct vs Buggy2 2 failing paths: 7252 and 7252 Buggy2 is closer than Buggy1

24 Observation Buggy1 is closer in edit distance to a correct version – One might intuitively think it is thus “closer” to correct – Clearly this is not the case, and, which syntactically correct version should one consider? – However, might it be an issue for a progress bar?

25 Side track Mutations in programs can have bigger effect than one might think Notice how a small = change made the program incorrect on more inputs than a logical mistake Can we rank mutation operators according to how much of the behavior of a program they mutate?

26 Mutation Example boolean classify1(int i, int j : 0..99) { return i <= j; } boolean classify1(int i, int j) { return i >= j; } 1 boolean classify1(int i, int j) { return i < j; } 2 99% wrong1% wrong boolean classify1(int i, int j) { return i == j; } 3 49.5% wrong boolean classify1(int i, int j) { return true; } 4 49.5% wrong

27 Lets try it… int A(int x) if (x == 2) return 4; if (x == 6) return 12; return 0; Cut and paste int A(int x) if (x == 1) return 2; if (x == 2) return 4; if (x == 6) return 12; return 0; and one more… int A(int x) if (x == 1) return 2; if (x == 2) return 4; if (x == 6) return 12; return x+3; saw the comment… int Correct(int x : 0..9) return x*2; 10 7 6 6

28 And Again… Int B(int x, int y) if (x == 0 && y == 0) return 0; if (x == 0 && y == 1) return 1; if (x == 1 && y == 0) return 1; return 0; 9997 Int B(int x, int y) if (x == 0 && y == 0) return 0; if (x == 0 && y == 1) return 1; if (x == 1 && y == 0) return 1; if (x == 0 && y == 33) return 33; if (x == 33 && y == 0) return 33; return 0; 9995

29 And Again… int Correct(int x,y : 0..99) return x+y; 10000 Int B(int x, int y) if (x == 0 && y == 0) return 0; if (x == 0 && y == 1) return 1; if (x == 1 && y == 0) return 1; if (x == 0 && y == 33) return 33; if (x == 33 && y == 0) return 33; return x-y; 9898 Int B(int x, int y) return x-y; 9900 Oh no, backwards! Int B(int x, int y) if (x >= y) return x – y; return y - x; 9801

30 Time passed and he played CodeHunt… To get to the interesting examples!

31 Last one… Bool Correct(int x : 0..199) return (x>=50) ? false : true; Bool C(int x) { if (x == 0) return true; return false; 49 Bool C(int x) { if (x == 0) return true; if (x == 4) return true; if (x == 32) return true; if (x == 36) return true; return false; 46 Bool C(int x) { if (x == 0) return true; if (x == 4) return true; if (x == 32) return true; if (x == 36) return true; if (x >= 64) return false; return false; 46 Bool C(int x) { if (x >= 64) return false; else return true; 14

32 Conclusions The bounds are important – Even in CodeHunt now you can expose the bounds PEX is using – For model counting the bounds must be exposed Should we give raw scores or descriptions – Way Off, A little better, Now you are getting there,… Can we actually do Model Counting for all the required domains? – Strings are new to the model counting game

33 The Green Framework http://green-solver.googlecode.com Already integrated into Symbolic PathFinder

34 Resources ISSTA 2012 – Probabilistic Symbolic Execution FSE 2012 – Green: Reduce, Reuse and Recycle Constraints… ICSE 2013 – Software Reliability with Symbolic PathFinder PLDI 2014 – Compositional Solution Space Quantification for Probabilistic Software Analysis FSE 2014 – Statistical Symbolic Execution with Informed Sampling ASE 2014 – Exact and Approximate Probabilistic Symbolic Execution for Nondeterministic Programs Implemented in Symbolic PathFinder – Using LattE

Download ppt "Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa."

Similar presentations

Python Programming Chapter 5: Fruitful Functions Saad Bani Mohammad Department of Computer Science Al al-Bayt University 1 st 2011/2012.

Python Programming Chapter 5: Fruitful Functions Saad Bani Mohammad Department of Computer Science Al al-Bayt University 1 st 2011/2012.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
COMP 14 Introduction to Programming Miguel A. Otaduy May 20, 2004.

COMP 14 Introduction to Programming Miguel A. Otaduy May 20, 2004.
Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.

Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.
Black Box Software Testing

Black Box Software Testing
1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.

1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
Domain testing Tor Stålhane. Domain testing revisited We have earlier looked at domain testing as a simple strategy for selecting test cases. We will.

Domain testing Tor Stålhane. Domain testing revisited We have earlier looked at domain testing as a simple strategy for selecting test cases. We will.
Software Testing (Part 2)

Software Testing (Part 2)
CS1020E Sitin 1 Discussion -- Counting Palindromes.

CS1020E Sitin 1 Discussion -- Counting Palindromes.
Today’s Agenda  Quick Review  Finish Graph-Based Testing  Predicate Testing Software Testing and Maintenance 1.

Today’s Agenda  Quick Review  Finish Graph-Based Testing  Predicate Testing Software Testing and Maintenance 1.
Stochastic Algorithms Some of the fastest known algorithms for certain tasks rely on chance Stochastic/Randomized Algorithms Two common variations – Monte.

Stochastic Algorithms Some of the fastest known algorithms for certain tasks rely on chance Stochastic/Randomized Algorithms Two common variations – Monte.
Recursion A method is recursive if it makes a call to itself. A method is recursive if it makes a call to itself. For example: For example: public void.

Recursion A method is recursive if it makes a call to itself. A method is recursive if it makes a call to itself. For example: For example: public void.
1 CSC 221: Computer Programming I Spring 2010 interaction & design  modular design: roulette game  constants, static fields  % operator, string equals.

1 CSC 221: Computer Programming I Spring 2010 interaction & design  modular design: roulette game  constants, static fields  % operator, string equals.
50.530 Exercise Solutions 2014 Fall Term. Week 2: Exercise 1 public static Boolean repOK(Stack mystack) { if (mystack.capacity() < 0) { return false;

Exercise Solutions 2014 Fall Term. Week 2: Exercise 1 public static Boolean repOK(Stack mystack) { if (mystack.capacity() < 0) { return false;

Similar presentations

Ads by Google