Download presentation
Presentation is loading. Please wait.
Published byRegina Clarke Modified over 8 years ago
1
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR-2000-14 Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AA A A A A
2
Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 2/22 Introduction Constructing Boolean programs Checking feasibility Conclusion
3
The choice of a model for software is a fundamental issue in model checking of software The followings are key points of a good model – A representation R of the model is analogous to the finite state machine(FSM), and has efficient algorithms to model check R – The model checking algorithms on R reports the shortest trace to an error – Programming languages such as C, C++, Java have translations into R Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 3/22
4
Boolean programs is a good representation for software model checking Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 4/22 Program PBoolean program B of P numUnits: int; level: int; void getUnit(){ [1] canEnter: bool := F; [2] if (numUnits = 0){ [3] if (level > 10){ [4] newUnit(); [5] numUnits := 1; [6] canEnter := T; } } else [7] canEnter := T; [8] if (canEnter) [9] if (numUnits = 0) [10] assert(F); else [11] gotUnit(); } nU0: bool; void getUnit(){ [1] cE: bool := F; [2] if (nU0){ [3] if(?){ [4] skip; [5] nU0 := F; [6] cE := T; } } else [7] cE := T; [8] if (cE) [9] if (nU0) [10] skip; else [11] skip; All variables in Boolean programs have Boolean type Each Boolean variable in B corresponds to an Boolean expression in P P and B have the same control structure
5
The X programming language is a simple imperative language with procedures, assignments, if, while and asserts The type of a variable in the X language ranges over integers, finite enumerations and three-valued type – From now on, Boolean type extends to three-valued logic Kleene’s three-valued interpretation of Æ, Ç and : Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 5/22 Æ truefalse? true false? ?? ? Ç truefalse? true falsetruefalse? ?true?? : false true ??
6
Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 6/22 Overview of SLAM process Constructing Boolean program Model checking Eliminating infeasible path p Feasible? Program P Spec φ Infeasible path p φ false + counterexample φ true Today’s focus: Constructing Boolean program and feasibility check Boolean program B Error trace p
7
Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 7/22 Introduction Constructing Boolean programs Checking feasibility Conclusion
8
Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 8/22 For simplicity, we assume that all programs are in X- normal form An X program P is in X-normal form if all the followings hold – Every assert statement in P is followed by a skip statement – All Boolean expressions in if and while statements of P are ? – All assignment statements in P assign to a single variable X programX-normal form if(e) {A} else {B} if(?) { assert(e);skip;A} else { assert(!e);skip;B } while(e){S}while(?) { assert(e);skip;S } assert(!e);skip;
9
Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 9/22 B ( P, E ) is a Boolean program of P with respect to E – P is a X program in X-normal form Let E = { e 1, e 2, , e n } be a set of Boolean expressions over variables in P and constants in X Let V B = { b 1, b 2, , b n } be a set of Boolean variables in B ( P, E ) – Let E ( b i ) denote the corresponding Boolean expression e i Each statement s in P is transformed to a corresponding statement in B ( P, E ) except for asserts – An assert statement is transformed to two statements in B ( P, E )
10
Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 10/22 Translation tables into B ( P, E ) I ( s, e ) denotes the truth value for the Boolean variable b corresponding to e, after executing statement s F ( e ) denotes the weakest disjunction of minterms over V B s.t. the corresponding expression of F ( e ) implies e Statement(s) in PTranslation in B (P,E) [i] if(?) [i] while(?) [i] x := e[i] b 1, , b n := I (x:=e, e 1 ), , I (x:=e, e n ) [i] assert(e) [j] skip [i] assert(!( F (!e)) [j] b 1, , b n := I (assert(e), e 1 ), , I (assert(e), e n ) [i] skip
11
Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 11/22 Then, how can we find the result of I ( s, e ), the truth value of e after execution of s? – The answer is the weakest precondition! WP ( x := e, f ) = f [ x à e ] WP (assert( e ), f ) = e ) f Let F ( e ) denote the largest disjunction of minterms over V B s.t. E ( F ( e )) ) e – Minterm is a logical expression consisting of only the conjunction and complement operator – Intuitively, E ( F ( e )) is the weakest expression over E that implies e E ( F ( WP ( s, e ))) is the weakest precondition over E – If E ( F ( WP ( s, e ))) is true, then after executing s, e becomes true – If E ( F ( WP ( s,! e ))) is true, then after executing s, e becomes false
12
Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 12/22 Example E = {( x =1), ( x =2), ( x · 3)} and V B = { b 1, b 2, b 3 } – E ( b 1 ) = ( x =1), E ( b 2 ) = ( x =2), E ( b 3 ) = ( x · 3) The statement s is x := x +1 e = (x=1)e = (x=2)e = (x · 3) WP(x:=x+1,e)x = 0x = 1x · 2 F (WP(x:=x+1,e)Falseb1b1 b1 Ç b2b1 Ç b2 E ( F (WP(x:=x+1,e)))Falsex = 1x = 1 Ç x = 2 WP(x:=x+1,!e)x 0x 1x ¸ 3 F (WP(x:=x+1,!e)b 1 Ç b 2 Ç !b 3 !b 1 Ç b 2 Ç !b 3 !b3!b3 E ( F (WP(x:=x+1,!e)))x=1 Ç x=2 Ç x > 3x 1 Ç x=2 Ç x > 3x > 3
13
Constructing Boolean programs Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 13/22 There is a difference between assert( F ( e )) and assert(! F (! e )) – F ( e ) ) e ) ! F (! e ) Example E = {( x<y ), ( y<z )} and V B = { b 1, b 2 } – E ( b 1 ) = ( x<y ), E ( b 2 ) = ( y<z ) – e = ( x < z ) E ( F (e))e E (! F (!e)) E ( F (!e))!e E (! F (e)) Expression over Ex<y Æ y<zx<zx<y Ç y<zx ¸ y Æ y ¸ zx ¸ zx ¸ y Ç y ¸ z (x,yz) = (1,2,3)True False (x,y,z) = (1,3,2)FalseTrue False True (x,y,z) = (1,3,0)False TrueFalseTrue (x,y,z) = (3,2,1)False True
14
Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 14/22 Introduction Constructing Boolean programs Checking feasibility Conclusion
15
Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 15/22 Feasibility checking checks whether a given error trace ¼ in B ( P, E ) is a trace p in P – By using the modified strongest postcondition The modified strongest postcondition uses a context instead of a expression – instead of SP ( f, x := e ) A context is a triple – is the current valuation to variables in p and called store. – ¦ is a set called the history which represents the past valuations to variables in p – © is a set of Boolean expressions called conditions which represents the constraints introduced by assert statements
16
Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 16/22 Let V ( p ) be the set of variables appeared in p Let Exp denote the set of expressions over £ ( p ) and the constants in X – £ ( p ) = { µ x, p | x 2 V ( p )} is a set of symbolic constants in a one-to-one correspondence with the variables of V ( p ) A context is a triple formally defined as – is a partial function V ( p ) ! Exp – ¦ µ V ( p ) £ Exp – © is a set of Boolean expressions from Exp Example p ¦© assert(b>0) µ b,p > 0 b := b+1 µ b,p > 0
17
Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 17/22 The strongest postcondition SP maps a context and a statement to a new context – Given a store and a set of variables X µ V ( p ), let undef (, X ) = { | x 2 X, not defined} – Updates the current valuation of x and stores old value in the history ¦ – Updates the condition © only Initial context is p is feasible iff all conditions Æ c 2 © c is satisfiable
18
Checking Feasibility Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 18/22 Example This trace is infeasible because ( µ b,p >0) ) (2 µ b,p ( µ b,p -1)) p ¦© assert(b>0) µ b,p >0 c := b+b, µ b,p >0 a := b,, µ b,p >0 a := a-1,, µ b,p >0 assert(a<b),, µ b,p >0, µ b,p -1 < µ b,p assert(c=a),, µ b,p >0, µ b,p -1 < µ b,p, 2 µ b,p = ( µ b,p -1)
19
Eliminating infeasible paths Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 19/22 To eliminate infeasible paths in a Boolean program, we need to refine the Boolean program Let C ( ) denote the Boolean expression( x = e ) and extend to a set of pairs Then, E = C ( ) [ C ( ¦ ) [ © is sufficient set of conditions to make p feasible in B ( P, E )
20
Contents Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 20/22 Introduction Constructing Boolean programs Checking feasibility Conclusion
21
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 21/22 A boolean program is a good representation of software model checking The transformation to Boolean program uses the weakest precondition Symbolic path simulator using the strongest postcondition checks the feasibility of a given trace
22
Reference Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 22/22 Boolean Programs: A Model and Process For Software Analysis by Thomas Ball and Sriram K. Rajamani in Microsoft Technical Report, MSR-TR-2000-14
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.