CEGAR Mooly Sagiv Challenges Correctness requirements Decidability and complexity of program verification Abstract models of systems Algorithms SLAM Microsoft blames most Windows crashes on third party device drivers ID: 932018
Download Presentation The PPT/PDF document "Counter Example Guided Refinement" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Counter Example Guided RefinementCEGAR
Mooly Sagiv
Slide2ChallengesCorrectness requirementsDecidability and complexity of program verification
Abstract models of systems
Algorithms
Slide3SLAM
Microsoft blames most Windows crashes on third party device drivers
The Windows device driver API is quite complicated
Drivers are low level C code
SLAM: Tool to automatically check device drivers for certain errors
SLAM is shipped with Device Driver Development Kit
Full detail available at http://research.microsoft.com/slam/
Slide4“Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability”
Testing
Development
Source Code
Precise
API Usage Rules
(SLIC)
Software Model
Checking
Read for
understanding
New API rules
Drive testing
tools
Defects
100% path
coverage
Rules
Static Driver Verifier
Slide5Recap
Many abstract domains
Signs
Odd/Even
Constant propagation
Intervals
[Polyhedra]
Canonic abstraction
Domain constructors
…
Static Algorithms
Iterative Chaotic IterationsWidening/NarrowingInterprocedural Analysis
ConcurrencyModularityNon-Iterative methods
Slide6A Lattice of AbstractionsEvery element is an abstract domain
A
A’ if there exists a Galois Connection from A to A’
Slide7But how to find the appropriate abstract domain
Precision vs. Scalability
Sometimes precision improves scalability
Specialize the abstraction for the desired property
Slide8Counter Example Guided Refinement (CEGAR)
Run the analysis with a simple abstract domain
When the analysis verifies the property declare done
If the analysis reports an error employs a theorem prover to identify if the error is feasible
If the error is feasible generate a concrete trace
If the error is spurious refine the abstract domain and repeat
Slide9A Simple Example
z =5
if (y >0)
x = z;
else
x = -y;
assert x >0
y
0
x = z
x = -y
assert x >0
z = 5
sign(x)
[x
]
[x
]
[x
]T
F
[x P]
[x
][x
]
[x
]
Slide10A Simple Example
z =5
if (y >0)
x = z;
else
x = -y;
assert x >0
y > 0
x = z
x = -y
assert x >0
z = 5
sign(x), sign(y)
[x
, y
]
[x
, y
]
TF
[x , y
P]
[x , y
N][x
, yP]
[x
P, yN]
[x , y
]
Slide11A Simple Example
z =5
if (y >0)
x = z;
else
x = -y;
assert x >0
y > 0
x = z
x = -y
assert x >0
z = 5
sign(x), sign(y)
, sign(z)
[x
, y
, z
]
[x
, y, zP
]T
F
[x , y
P, zP ]
[x , y
N, zP ]
[x P, y
P, zP ]
[x P, y
N, z
P ]
[x P, y, z
P ]
Slide12Simple Example (local abstractions)
z =5
if (y >0)
x = z;
else
x = -y;
assert x >0
y > 0
x = z
x = -y
assert x >0
z = 5
sign(x), sign(y)
, sign(z)
[]
[
z
P
]
T
F
[
y
P, z
P]
[yN]
[x P
]
[x P]
[x P]
Slide13PlanPredicate Abstraction
CEGAR in BLAST (inspired by SLAM) POPL’04
Limitations
Slide14BLAST
www.eecs.berkeley.edu/~blast/
Berkeley Lazy Abstraction Software Tool
Slide15Abstractions from Proofs: POPL’04
Ranjit
Jhala
UCSD
Rupak
Majumdar
MPI
Ken McMillan
MSR
Thomas
Henzinger
IST
Slide16Predicate Abstraction: A crash course
Initial
Error
Program State Space
Abstraction
Abstraction:
Predicates
on program state
Signs:
x > 0
Aliasing:
&x
&y
States satisfying the same predicates are equivalent
Merged into single abstract state
(Predicate) Abstraction: A crash course
Initial
Error
Program State Space
Abstraction
Q1
: Which predicates
are required to verify a property ?
Slide18The Predicate Abstraction Domain
Fixed set of predicates
Pred
The meaning of each predicate p
i
Pred
is a closed first order formula
fi
The relational domain is <P(P(Pred)), , P(
Pred), , >Join is set unionState space explosion
Special case of canonic abstraction
Slide19A Simple Example
int
x, y;
x = 1;
y = 2 ;
while (*) do {
x = x + y ;
}assert x > 0;
Predicates: p1 = x > 0 p2 = y 0
bool p1, p2;p1 = true ;p2 = true ;while (*) do {
p1 = (p1&&p2 ? 1 : *) }assert p1 ;
Slide20do {
KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){
request = request->Next;
KeReleaseSpinLock();
nPackets++;
}
} while (
nPackets != nPacketsOld
);
KeReleaseSpinLock();
SLAM Example
Does this code
obey the
locking rule?
Slide21do {
KeAcquireSpinLock();
if(*){
KeReleaseSpinLock();
}
} while (*);
KeReleaseSpinLock();
SLAM Example
Model checking
boolean program
(bebop)
U
L
L
L
L
U
L
U
U
U
E
Slide22do {
KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){
request = request->Next;
KeReleaseSpinLock();
nPackets++;
}
} while (
nPackets != nPacketsOld
);
KeReleaseSpinLock();
SLAM Example
Is error path feasible
in C program?
(newton)
U
L
L
L
L
U
L
U
U
U
E
Slide23do {
KeAcquireSpinLock
();
nPacketsOld
=
nPackets
;
b = true;
if(request){
request = request->Next;
KeReleaseSpinLock
();
nPackets++;
b = b ? false : *; }
} while (
nPackets != nPacketsOld
); !b
KeReleaseSpinLock
();
SLAM Example
Add new predicateto boolean program(c2bp)
b
: (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
Slide24do {
KeAcquireSpinLock();
b = true;
if(*){
KeReleaseSpinLock();
b = b ? false : *;
}
} while (
!b
);
KeReleaseSpinLock();
b
b
b
b
SLAM Example
Model checking
refined
boolean program
(bebop)
b
: (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
UEb
b!b
Slide25Scalability vs. Verification
Many predicates tracked
e.g.
values of variables
State explosion
Analysis drowned in detail
scalability
verification
Few predicates tracked
e.g.
type of variables
Imprecision hinders Verification
Spurious counterexamples
Slide26Example
while(*){
1: if (p
1
) lock();
if (p
1
) unlock();
…
2: if (p
2
) lock();
if (p2) unlock(); …
n: if (pn) lock(); if (p
n) unlock();}
Only track
lock
Bogus Counterexample
Must
correlate branches
scalability
lock
lock
unlock
Predicate
p
1
makes trace
abstractly infeasible
p
i
required for verification
T
F
T
Slide27Example
while(*){
1: if (p
1
) lock();
if (p
1
) unlock();
…
2: if (p
2
) lock();
if (p2) unlock(); …
n: if (pn) lock(); if (p
n) unlock();}
Only track
lock
Bogus Counterexample
Must
correlate branches
scalability
lock
lock
unlock
Track
lock, p
i
s
State Explosion
> 2
n
distinct states
intractable
verification
How can we get scalable verification ?
Slide28By Localizing Precision
while (*) {
1: if (p
1
) lock();
if (p
1
) unlock();
…
2: if (p
2
) lock();
if (p
2
) unlock();
…
n: if (p
n
) lock();
if (p
n
) unlock();
}
p
1
p
2
p
n
Preds. Used locally
Ex: 2
*
n states
Preds. used globally
Ex: 2
n
states
Q2:
Where
are the predicates required ?
Slide29[Clarke
et al
. ’00]
[Ball, Rajamani ’01]
Counterexample Guided Refinement
YES
SAFE
explanation
NO! (Trace)
BUG
feasible
Seed Abstraction
Program
Why infeasible ?
Refine
Abstract
Is model safe ?
Check
What predicates
remove trace ?
Make it abstractly infeasible
Where
are predicates needed ?
[Kurshan
et al
. ’93]
explanation
Why infeasible ?
Slide30Counterexample Guided Refinement
YES
SAFE
explanation
NO! (Trace)
BUG
feasible
Seed Abstraction
Program
Why infeasible ?
Refine
Abstract
Is model safe ?
Check
Slide31Counterexample Guided Refinement
YES
SAFE
explanation
NO! (Trace)
BUG
feasible
Seed Abstraction
Program
Why infeasible ?
Refine
Abstract
Is model safe ?
Check
safe
Slide32This Talk: Counterexample Analysis
YES
SAFE
explanation
NO! (Trace)
BUG
feasible
Seed Abstraction
Program
Why infeasible ?
Refine
Abstract
Is model safe ?
Check
What predicates
remove trace ?
Make it abstractly infeasible
Where
are predicates needed ?
Slide33Plan
Motivation
Refinement using Traces
Simple
Procedure calls
Results
Slide34Trace FormulasA single abstract trace represents infinite number of traces
Different loop iterations
Different concrete values
Solution
Only considers concrete traces with the same number of executions
Use formulas to represent sets of states
Slide35Representing
States
as
Formulas
[
F
]
states satisfying
F
{s | s
F
}
F
FO formula over prog. vars
[
F
1
]
[
F
2]
F1
F2
[
F1]
[F
2]
F
1
F2
[
F
] F [F1] [F2]
F1 implies F2
i.e. F1 F2 unsatisfiable
Slide36Counterexample Analysis
Refine
Trace
Feasible
Explanation
of
Infeasibility
Q2:
Where
are preds required ?
Q1:
What
predicates
remove trace ?
Q0:
Is trace feasible ?
SSA
Trace
Feasibility
Formula
Trace
Feasible
Thm Pvr
Y
Proof of
Unsat.
N
Extract
Predicate Map:
Prog Ctr
!
Predicates
Slide37Q2:
Where
are preds required ?
Q1:
What predicates
remove trace ?
Q0:
Is trace feasible ?
Counterexample Analysis
Refine
Trace
Feasible
Explanation
of
Infeasibility
SSA
Trace
Feasible
Proof of
Unsat.
Extract
Predicate Map:
Prog Ctr
!
Predicates
Thm Pvr
Y
N
Trace
Feasibility
Formula
Slide38Traces
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc3: y = ctr
pc4
: assume(x = i-1) pc5
: assume(y i)
y = x +1
pc
1
:
x = ctr;
pc2: ctr = ctr + 1;pc3:
y = ctr; pc
4: if (x = i-1){
pc5: if (y != i){
ERROR:
}
}
Slide39Trace Feasibility Formulas
pc
1
:
x = ctr
pc
2
: ctr = ctr+1
pc
3
: y = ctr
pc
4
: assume(x=i-1)
pc5: assume(y
i)
Trace
SSA Trace
x
1 = ctr0
ctr1 =
ctr0 +
1
y
1 = ctr1
x1 = i
0 -
1
y1
i0
pc
1
: x
1 = ctr0
pc2: ctr1 = ctr0+1pc3: y1 = ctr1 pc4: assume(x1=i0-1)pc5: assume(y1i0)
Trace FeasibilityFormulaTheorem: Trace is Feasible ,
TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]
Slide40Q2:
Where
are preds required ?
Q1:
What predicates
remove trace ?
Counterexample Analysis
Refine
Trace
Feasible
Explanation
of
Infeasibility
SSA
Trace
Feasible
Proof of
Unsat.
Extract
Predicate Map:
Prog Ctr
!
Predicates
Thm Pvr
Y
N
Trace
Feasibility
Formula
Q0:
Is trace feasible ?
Slide41Trace
Feasibility
Formula
Q0:
Is trace feasible ?
Counterexample Analysis
Refine
Trace
Feasible
Explanation
of
Infeasibility
SSA
Trace
Feasible
Proof of
Unsat.
Extract
Predicate Map:
Prog Ctr
!
Predicates
Thm Pvr
Y
N
Q2:
Where
are preds required ?
Q1:
What predicates
remove trace ?
Slide42Proof of Unsatisfiability
Trace Formula
x
1
=
ctr
0
ctr
1
=
ctr
0 +
1
y
1 = ctr1
x1 =
i0
- 1
y1
i0
x
1 = ctr0
x
1 = i0
-1
ctr
0 = i0
-1
ctr
1= ctr
0+1
ctr
1
= i
0y1= ctr1y1= i0y1 i0
; Proof of Unsatisfiability
PROBLEM Proof uses entire history of execution
Information flows up and downNo localized or state information !
Slide43The Present State…
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc3
: y = ctr
pc4
: assume(x = i-1)
pc5: assume(y i)
Trace
… is all the information the
executing program has
here
1. … after executing trace
prefix
2. … knows
present values of variables
3. … makes trace suffix infeasible
State…
At
pc
4
, which predicate on
present state shows infeasibility of
suffix ?
Slide44What Predicate is needed ?
Trace
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3
: y = ctr
pc4: assume(x = i-1)
pc5: assume(y
i)
Trace Formula (TF)
x
1 = ctr
0
ctr1
= ctr0 + 1
y1 =
ctr1
x
1 = i
0 - 1
y
1
i0
1. … after executing trace
prefix
2. … has
present values of variables3. … makes trace suffix infeasibleState… … implied by TF prefix Predicate …
Slide45What Predicate is needed ?
Trace
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3
: y = ctr
pc4: assume(x = i-1)
pc5: assume(y
i)
Trace Formula (TF)
x1
= ctr0
ctr1 =
ctr0 + 1
y1 =
ctr1
x
1 = i0
- 1
y
1
i0
1. … after executing trace
prefix
2. … has
present values of variables3. … makes trace suffix infeasibleState… … implied by TF prefix … on common variables Predicate …
x
1x1
Slide46What Predicate is needed ?
Trace
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3
: y = ctr
pc4: assume(x = i-1)
pc5: assume(y
i)
Trace Formula (TF)
x1
= ctr0
ctr1 =
ctr0 + 1
y1 =
ctr1
x
1 = i0
- 1
y
1
i0
1. … after executing trace
prefix
2. … has
present values of variables3. … makes trace suffix infeasibleState… … implied by TF prefix … on common variables … & TF suffix is unsatisfiablePredicate …
Slide47What Predicate is needed ?
Trace
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3: y = ctr
pc
4: assume(x = i-1) pc
5: assume(y
i)
Trace Formula (TF)
x1 = ctr0
ctr1 =
ctr0 +
1
y1 =
ctr1
x
1 = i
0 - 1
y1
i0
1. … after executing trace
prefix
2. … knows present values
of variables
3. … makes trace suffix infeasibleState… … implied by TF prefix … on common variables … & TF suffix is unsatisfiablePredicate …
Slide48Craig’s Interpolation Theorem [Craig ’57]
Given formulas
-
,
+
s.t.
-
+ is unsatisfiable
There exists an Interpolant
for -
, + , s.t.
-
implies
has symbols
common to -,
+
+ is
unsatisfiable
+
-
Slide49Craig’s Interpolation Theorem (take 2)
Given formulas
-
,
+
s.t
.
- implies
+
There exists an Interpolant
for - , +
, s.t
. -
implies
implies
+ has symbols common
to -,
+
-
+
Slide50Examples
of
Craig’s Interpolation
-
=
b (b
c
)
+
=
c
- =
x
1
=ctr0
ctr
1=ctr
0+1
y1
=ctr
1
+ = x
1=
i0
-1
y1i
0y
1 = x
1 + 1
Slide51Craig’s Interpolation Theorem [Craig ’57]
Given formulas
-
,
+
s.t.
-
+ is unsatisfiable
There exists an Interpolant
for -
, + , s.t.
-
implies
has only symbols
common to -
, +
+ is unsatisfiable
computable from Proof of Unsat. of
-
+ [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]
Interpolant = Predicate !
1. Predicate
implied
by trace
prefix
2. Predicate on
common
variables
common =
current
value
3. Predicate &
suffix
yields a
contradiction
Require:
-
+
Interpolate
1.
-
implies
2.
has symbols common
to -
,+
3.
+ is unsatisfiable
Interpolant:
pc
1: x = ctr
pc2: ctr = ctr + 1
pc3
: y = ctr pc4: assume(x = i-1) pc5: assume(y i)TraceTrace Formula x1 = ctr0
ctr1 = ctr0 + 1
y1 = ctr1
x1 = i0 - 1 y1 i0
Slide53Interpolant = Predicate !
1. Predicate
implied
by trace
prefix
2. Predicate on
common
variables
3. Predicate &
suffix
yields a
contradiction
Require:
-
+
Interpolate
1.
-
implies
2.
has symbols common to
-,
+3.
+
is unsatisfiable
Interpolant:
pc1
: x = ctr
pc2
: ctr = ctr + 1
pc3: y = ctr
pc
4: assume(x = i-1) pc5: assume(y i)TraceTrace Formula x1 = ctr0 ctr1 =
ctr0 + 1 y1 = ctr1
x1 = i
0 - 1 y1 i0y1 = x
1 + 1
Slide54Interpolant = Predicate !
1. Predicate
implied
by trace
prefix
2. Predicate on
common
variables
3. Predicate &
suffix
yields a
contradiction
Require:
-
+
Interpolate
1.
-
implies
2. has symbols
common to
-,
+3.
Æ
+ is
unsatisfiable
Interpolant:
pc1: x = ctr
pc2: ctr = ctr + 1
pc3
: y = ctr
pc4: assume(x = i-1) pc5: assume(y i)TraceTrace Formula x1 = ctr0
ctr1 = ctr0 + 1 y1
= ctr1 x
1 = i0 - 1 y1 i0
Predicate at pc4:y= x+1y1 = x1 + 1
pc4
Slide55Building Predicate Maps
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3
: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace
Trace Formula
x
1 = ctr0
ctr1 = ctr
0 + 1
y1 = ctr
1
x1
= i0
- 1
y1
i
0
Cut + Interpolate at
each
pointPred. Map: pci Interpolant from cut i-+Interpolate
x1 = ctr0Predicate Map pc2:
x= ctrpc2
Slide56Building Predicate Maps
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3
: y = ctr
pc4
: assume(x = i-1) pc5
: assume(y
i)
Trace
Trace Formula
x
1 = ctr0
ctr1 =
ctr0 + 1
y
1 = ctr
1
x1
= i0
- 1
y1
i0
Cut + Interpolate at
each
point
Pred. Map: pci Interpolant from cut i-+InterpolatePredicate Map pc
2: x = ctrpc3: x= ctr-1x1
= ctr1-1pc3
Slide57x
1
=
ctr
0
ctr
1
=
ctr
0 +
1
y1 =
ctr
1
x1 = i0
- 1
y1
i
0Building Predicate Maps
pc1:
x = ctr
pc2: ctr = ctr + 1
pc3: y = ctr
pc4: assume(x = i-1)
pc5: assume(y
i)
Trace
Trace Formula
Cut + Interpolate at
each
point
Pred. Map:
pci Interpolant from cut i-+InterpolatePredicate Map pc
2: x = ctrpc3: x = ctr-1pc4:
y = x+1pc5: y= iy1= i
0pc5
Slide58Building Predicate Maps
pc
1
:
x = ctr
pc
2
: ctr = ctr + 1
pc
3
: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace
Trace Formula
x
1 = ctr0
ctr1 = ctr
0 + 1
y1 = ctr
1
x1
= i0
- 1
y1
i
0
Predicate Map
pc2: x = ctrpc3: x = ctr-1pc4: y = x+1pc5: y = i Theorem: Predicate map
makes trace abstractly infeasible
Slide59Plan
Motivation
Refinement using Traces
Simple
Procedure calls
Results
Slide60Traces with Procedure Calls
Trace Formula
i
pc
1
:
x
1
= 3
pc
2
: assume (x
1
>0)
pc
3
:
x
3
= f
1
(x
1
) pc
4: y2 = y1
pc5: y
3 = f2(y
2) pc
6: z2 = z1+1
pc7: z
3 = 2*z2
pc8: return z
3 pc
9: return y
3pc10
: x4 = x3+1
pc
11:
x5 = f3
(x4) pc12: assume(w1<5) pc13: return w1pc14: assume x4>5pc15: assume (x1=x3+2)pc1: x1 = 3pc2: assume (x
1>0)pc3: x3 = f1(x1)pc4: y2 = y
1pc5: y3 = f2(y2)pc6: z2
= z1+1pc7: z3 = 2*z2pc8: return z3pc9: return y3pc10: x4 = x3+1pc11:
x5 = f3(x4)pc12: assume(w1<5)pc13: return w
1pc14: assume x4>5pc15: assume(x1=x3+2)
Trace i
Find predicate
needed at point i
Slide61Interprocedural Analysis
Trace Formula
i
Trace
i
Procedure Summaries
[Reps,Horwitz,Sagiv ’95]
Polymorphic Predicate Abstraction
[Ball,Millstein,Rajamani ’02]
Require at each point i
:
Well-scoped
predicates
YES
: Variables
visible
at i
NO
: Caller’s local variables
Find predicate
needed at point i
YES
NO
NO
Slide62Problems with Cutting
Trace Formula
i
Trace
i
-
+
Caller variables
common to
-
and
+
Unsuitable interpolant: not well-scoped
Slide63Interprocedural Cuts
Trace Formula
i
Call begins
Trace
i
Slide64Interprocedural Cuts
-
+
Trace Formula
i
Call begins
Trace
i
Predicate at
pc
i
= Interpolant from cut i
Common Variables
Formals
Current locals
Trace Formula
Predicate at
pc
i
= Interpolant from i-cut
i
Trace
i
-
+
Common Variables
Formals
Well-scoped
Slide66Plan
Motivation
Refinement using Traces
Simple
Procedure calls
Results
Slide67Implementation
Algorithms implemented in BLAST
Verifier for C programs, Lazy Abstraction
[POPL ’02]
FOCI : Interpolating decision procedure
Examples:
Windows Device Drivers (DDK)
IRP Specification: 22 state FSM
Current: Security properties of Linux programs
Slide68Results
Program
LOC*
Previous
Time
New
Time
Predicates
Total Average
kbfiltr
12k
1m12s
3m48s
72
6.5
floppy
17k
7m10s
25m20s
240
7.7
diskperf
14k
5m36s
13m32s
140
10
cdaudio
18k
20m18s
23m51s
256
7.8
parport
61k
DNF
74m58s
753
8.1
parclass
138k
DNF
77m40s
382
7.2
Windows DDK
IRP
22 state
* Pre-processed
Slide69Localizing works…
Program
LOC*
Previous
Time
New
Time
Predicates
Total Average
kbfiltr
12k
1m12s
3m48s
72
6.5
floppy
17k
7m10s
25m20s
240
7.7
diskperf
14k
5m36s
13m32s
140
10
cdaudio
18k
20m18s
23m51s
256
7.8
parport
61k
DNF
74m58s
753
8.1
parclass
138k
DNF
77m40s
382
7.2
Windows DDK
IRP
22 state
* Pre-processed
Slide70Conclusion
Scalability
and
Precision by
localizing
Craig Interpolation
Interprocedural cuts give well-scoped predicates
Some Current and Future Work:
Multithreaded Programs
Project local info of thread to predicates over globals
Hierarchical trace analysis
Slide71Limitations of CEGAR
Limited to powerset/relational abstract domains
Interpolant computations
Interactions with widening
Starting on the right foot
Unnecessary refinement steps
Long and infinite number of refinement steps
Long traces
Slide72Unnecessary Refinements
x = 0
while (x < 10
6
) do
x = x + 1
assert x < 100
Slide73Unsuccessful Refinement Set
x = malloc();
y = x ;
while (…)
t = malloc();
t->next = x
x = t;
…
while (x !=y) do
assert x != null;
x = x->next
Slide74Long Traces
Example
( ) {
1
:c = 0;
2
:for(i=1;i<1000;i++)
3
: c = c + f(i);
4
:if (a>0) {
5
: if (x==0) {
ERR: ;
} }
}Assume f always terminates
ERR is reachable
a and x are unconstrainedAny feasible path to error must unroll the loop 1000 times AND find feasible paths through f
Any other path must be dismissed as a false positive
Slide75Long Traces
Example
( ) {
1
:c = 0;
2
:for(i=1;i<1000;i++)
3
: c = c + f(i);
4
:if (a>0) {
5
: if (x==0) {
ERR: ;
} }
}Intuitively, the for loop is irrelevant
ERR
reachable as long as there exists some path from 2 to 4 that does not modify a or xCan we use static analysis to
precisely report a statement is reachable
without finding a feasible path?
Slide76Long Traces
Example
( ) {
1
:c = 0;
2
:for(i=1;i<1000;i++)
3
: c = c + f(i);
4
:if (a>0) {
5
: if (x==0) {
ERR: ;
}
}}
c = 0
1
i = 1
2
i
¸
1000
2’
3
c = c + f(i);i++
4
2’
i<1000
a>0
x==0
5
1
4
a>0
x==0
5
Slide77Path Slice (PLDI’05)
The
path slice
of a program path
is a subsequence of the edges of
such that if the sequence of operations along the subsequence is:
infeasible
, then
is
infeasible, andfeasible, then the last location of
is reachable (but not necessarily
along )