Counter Example Guided Refinement - PowerPoint Presentation

Slide1

Counter Example Guided RefinementCEGAR

Mooly Sagiv

Slide2

ChallengesCorrectness requirementsDecidability and complexity of program verification

Abstract models of systems

Algorithms

Slide3

SLAM

Microsoft blames most Windows crashes on third party device drivers

The Windows device driver API is quite complicated

Drivers are low level C code

SLAM: Tool to automatically check device drivers for certain errors

SLAM is shipped with Device Driver Development Kit

Full detail available at http://research.microsoft.com/slam/

Slide4

“Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability”

Testing

Development

Source Code

Precise

API Usage Rules

(SLIC)

Software Model

Checking

Read for

understanding

New API rules

Drive testing

tools

Defects

100% path

coverage

Rules

Static Driver Verifier

Slide5

Recap

Many abstract domains

Signs

Odd/Even

Constant propagation

Intervals

[Polyhedra]

Canonic abstraction

Domain constructors

…

Static Algorithms

Iterative Chaotic IterationsWidening/NarrowingInterprocedural Analysis

ConcurrencyModularityNon-Iterative methods

Slide6

A Lattice of AbstractionsEvery element is an abstract domain

A

 A’ if there exists a Galois Connection from A to A’

Slide7

But how to find the appropriate abstract domain

Precision vs. Scalability

Sometimes precision improves scalability

Specialize the abstraction for the desired property

Slide8

Counter Example Guided Refinement (CEGAR)

Run the analysis with a simple abstract domain

When the analysis verifies the property declare done

If the analysis reports an error employs a theorem prover to identify if the error is feasible

If the error is feasible generate a concrete trace

If the error is spurious refine the abstract domain and repeat

Slide9

A Simple Example

z =5

if (y >0)

x = z;

else

x = -y;

assert x >0

y



0

x = z

x = -y

assert x >0

z = 5

sign(x)

[x





]

[x





]

[x



]T

F

[x P]

[x 

][x

]

[x





]

Slide10

A Simple Example

z =5

if (y >0)

x = z;

else

x = -y;

assert x >0

y > 0

x = z

x = -y

assert x >0

z = 5

sign(x), sign(y)

[x



, y





]

[x



, y





]

TF

[x , y

P]

[x , y

N][x

, yP]

[x 

P, yN]

[x , y

]

Slide11

A Simple Example

z =5

if (y >0)

x = z;

else

x = -y;

assert x >0

y > 0

x = z

x = -y

assert x >0

z = 5

sign(x), sign(y)

, sign(z)

[x



, y



, z





]

[x



, y, zP

]T

F

[x , y

P, zP ]

[x , y

N, zP ]

[x P, y

P, zP ]

[x P, y

N, z

P ]

[x P, y, z

P ]

Slide12

Simple Example (local abstractions)

z =5

if (y >0)

x = z;

else

x = -y;

assert x >0

y > 0

x = z

x = -y

assert x >0

z = 5

sign(x), sign(y)

, sign(z)

[]

[

z



P

]

T

F

[

y



P, z



P]

[yN]

[x P

]

[x P]

[x P]

Slide13

PlanPredicate Abstraction

CEGAR in BLAST (inspired by SLAM) POPL’04

Limitations

Slide14

BLAST

www.eecs.berkeley.edu/~blast/

Berkeley Lazy Abstraction Software Tool

Slide15

Abstractions from Proofs: POPL’04

Ranjit

Jhala

UCSD

Rupak

Majumdar

MPI  

Ken McMillan

MSR

Thomas

Henzinger

IST

Slide16

Predicate Abstraction: A crash course

Initial

Error

Program State Space

Abstraction

Abstraction:

Predicates

on program state

Signs:

x > 0

Aliasing:

&x



&y

States satisfying the same predicates are equivalent

Merged into single abstract state

Slide17

(Predicate) Abstraction: A crash course

Initial

Error

Program State Space

Abstraction

Q1

: Which predicates

are required to verify a property ?

Slide18

The Predicate Abstraction Domain

Fixed set of predicates

Pred

The meaning of each predicate p

i



Pred

is a closed first order formula

fi

The relational domain is <P(P(Pred)), , P(

Pred), , >Join is set unionState space explosion

Special case of canonic abstraction

Slide19

A Simple Example

int

x, y;

x = 1;

y = 2 ;

while (*) do {

x = x + y ;

}assert x > 0;

Predicates: p1 = x > 0 p2 = y  0

bool p1, p2;p1 = true ;p2 = true ;while (*) do {

p1 = (p1&&p2 ? 1 : *) }assert p1 ;

Slide20

do {

KeAcquireSpinLock();

nPacketsOld = nPackets;

if(request){

request = request->Next;

KeReleaseSpinLock();

nPackets++;

}

} while (

nPackets != nPacketsOld

);

KeReleaseSpinLock();

SLAM Example

Does this code

obey the

locking rule?

Slide21

do {

KeAcquireSpinLock();

if(*){

KeReleaseSpinLock();

}

} while (*);

KeReleaseSpinLock();

SLAM Example

Model checking

boolean program

(bebop)

U

L

L

L

L

U

L

U

U

U

E

Slide22

do {

KeAcquireSpinLock();

nPacketsOld = nPackets;

if(request){

request = request->Next;

KeReleaseSpinLock();

nPackets++;

}

} while (

nPackets != nPacketsOld

);

KeReleaseSpinLock();

SLAM Example

Is error path feasible

in C program?

(newton)

U

L

L

L

L

U

L

U

U

U

E

Slide23

do {

KeAcquireSpinLock

();

nPacketsOld

=

nPackets

;

b = true;

if(request){

request = request->Next;

KeReleaseSpinLock

();

nPackets++;

b = b ? false : *; }

} while (

nPackets != nPacketsOld

); !b

KeReleaseSpinLock

();

SLAM Example

Add new predicateto boolean program(c2bp)

b

: (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E

Slide24

do {

KeAcquireSpinLock();

b = true;

if(*){

KeReleaseSpinLock();

b = b ? false : *;

}

} while (

!b

);

KeReleaseSpinLock();

b

b

b

b

SLAM Example

Model checking

refined

boolean program

(bebop)

b

: (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

UEb

b!b

Slide25

Scalability vs. Verification

Many predicates tracked

e.g.

values of variables

State explosion

Analysis drowned in detail

scalability

verification

Few predicates tracked

e.g.

type of variables

Imprecision hinders Verification

Spurious counterexamples

Slide26

Example

while(*){

1: if (p

1

) lock();

if (p

1

) unlock();

…

2: if (p

2

) lock();

if (p2) unlock(); …

n: if (pn) lock(); if (p

n) unlock();}

Only track

lock

Bogus Counterexample

Must

correlate branches

scalability

lock

lock

unlock

Predicate

p

1

makes trace

abstractly infeasible

p

i

required for verification

T

F

T

Slide27

Example

while(*){

1: if (p

1

) lock();

if (p

1

) unlock();

…

2: if (p

2

) lock();

if (p2) unlock(); …

n: if (pn) lock(); if (p

n) unlock();}

Only track

lock

Bogus Counterexample

Must

correlate branches

scalability

lock

lock

unlock

Track

lock, p

i

s

State Explosion

> 2

n

distinct states

intractable

verification

How can we get scalable verification ?

Slide28

By Localizing Precision

while (*) {

1: if (p

1

) lock();

if (p

1

) unlock();

…

2: if (p

2

) lock();

if (p

2

) unlock();

…

n: if (p

n

) lock();

if (p

n

) unlock();

}

p

1

p

2

p

n

Preds. Used locally

Ex: 2

*

n states

Preds. used globally

Ex: 2

n

states

Q2:

Where

are the predicates required ?

Slide29

[Clarke

et al

. ’00]

[Ball, Rajamani ’01]

Counterexample Guided Refinement

YES

SAFE

explanation

NO! (Trace)

BUG

feasible

Seed Abstraction

Program

Why infeasible ?

Refine

Abstract

Is model safe ?

Check

What predicates

remove trace ?

Make it abstractly infeasible

Where

are predicates needed ?

[Kurshan

et al

. ’93]

explanation

Why infeasible ?

Slide30

Counterexample Guided Refinement

YES

SAFE

explanation

NO! (Trace)

BUG

feasible

Seed Abstraction

Program

Why infeasible ?

Refine

Abstract

Is model safe ?

Check

Slide31

Counterexample Guided Refinement

YES

SAFE

explanation

NO! (Trace)

BUG

feasible

Seed Abstraction

Program

Why infeasible ?

Refine

Abstract

Is model safe ?

Check

safe

Slide32

This Talk: Counterexample Analysis

YES

SAFE

explanation

NO! (Trace)

BUG

feasible

Seed Abstraction

Program

Why infeasible ?

Refine

Abstract

Is model safe ?

Check

What predicates

remove trace ?

Make it abstractly infeasible

Where

are predicates needed ?

Slide33

Plan

Motivation

Refinement using Traces

Simple

Procedure calls

Results

Slide34

Trace FormulasA single abstract trace represents infinite number of traces

Different loop iterations

Different concrete values

Solution

Only considers concrete traces with the same number of executions

Use formulas to represent sets of states

Slide35

Representing

States

as

Formulas

[

F

]

states satisfying

F

{s | s



F

}

F

FO formula over prog. vars

[

F

1

]



[

F

2]

F1



F2

[

F1]

 [F

2]

F

1



F2

[

F

] F [F1]  [F2]

F1 implies F2

i.e. F1   F2 unsatisfiable

Slide36

Counterexample Analysis

Refine

Trace

Feasible

Explanation

of

Infeasibility

Q2:

Where

are preds required ?

Q1:

What

predicates

remove trace ?

Q0:

Is trace feasible ?

SSA

Trace

Feasibility

Formula

Trace

Feasible

Thm Pvr

Y

Proof of

Unsat.

N

Extract

Predicate Map:

Prog Ctr

!

Predicates

Slide37

Q2:

Where

are preds required ?

Q1:

What predicates

remove trace ?

Q0:

Is trace feasible ?

Counterexample Analysis

Refine

Trace

Feasible

Explanation

of

Infeasibility

SSA

Trace

Feasible

Proof of

Unsat.

Extract

Predicate Map:

Prog Ctr

!

Predicates

Thm Pvr

Y

N

Trace

Feasibility

Formula

Slide38

Traces

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc3: y = ctr

pc4

: assume(x = i-1) pc5

: assume(y  i)

y = x +1

pc

1

:

x = ctr;

pc2: ctr = ctr + 1;pc3:

y = ctr; pc

4: if (x = i-1){

pc5: if (y != i){

ERROR:

}

}

Slide39

Trace Feasibility Formulas

pc

1

:

x = ctr

pc

2

: ctr = ctr+1

pc

3

: y = ctr

pc

4

: assume(x=i-1)

pc5: assume(y

i)

Trace

SSA Trace

x

1 = ctr0



ctr1 =

ctr0 +

1

 y

1 = ctr1



x1 = i

0 -

1



y1



i0

pc

1

: x

1 = ctr0

pc2: ctr1 = ctr0+1pc3: y1 = ctr1 pc4: assume(x1=i0-1)pc5: assume(y1i0)

Trace FeasibilityFormulaTheorem: Trace is Feasible ,

TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]

Slide40

Q2:

Where

are preds required ?

Q1:

What predicates

remove trace ?

Counterexample Analysis

Refine

Trace

Feasible

Explanation

of

Infeasibility

SSA

Trace

Feasible

Proof of

Unsat.

Extract

Predicate Map:

Prog Ctr

!

Predicates

Thm Pvr

Y

N

Trace

Feasibility

Formula

Q0:

Is trace feasible ?

Slide41

Trace

Feasibility

Formula

Q0:

Is trace feasible ?

Counterexample Analysis

Refine

Trace

Feasible

Explanation

of

Infeasibility

SSA

Trace

Feasible

Proof of

Unsat.

Extract

Predicate Map:

Prog Ctr

!

Predicates

Thm Pvr

Y

N

Q2:

Where

are preds required ?

Q1:

What predicates

remove trace ?

Slide42

Proof of Unsatisfiability

Trace Formula

x

1

=

ctr

0



ctr

1

=

ctr

0 +

1

y

1 = ctr1

 x1 =

i0

- 1



y1

 i0

x

1 = ctr0

x

1 = i0

-1

ctr

0 = i0

-1

ctr

1= ctr

0+1

ctr

1

= i

0y1= ctr1y1= i0y1 i0

; Proof of Unsatisfiability

PROBLEM Proof uses entire history of execution

Information flows up and downNo localized or state information !

Slide43

The Present State…

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc3

: y = ctr

pc4

: assume(x = i-1)

pc5: assume(y  i)

Trace

… is all the information the

executing program has

here

1. … after executing trace

prefix

2. … knows

present values of variables

3. … makes trace suffix infeasible

State…

At

pc

4

, which predicate on

present state shows infeasibility of

suffix ?

Slide44

What Predicate is needed ?

Trace

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3

: y = ctr

pc4: assume(x = i-1)

pc5: assume(y 

i)

Trace Formula (TF)

x

1 = ctr

0



ctr1

= ctr0 + 1



y1 =

ctr1



x

1 = i

0 - 1



y

1 

i0

1. … after executing trace

prefix

2. … has

present values of variables3. … makes trace suffix infeasibleState… … implied by TF prefix Predicate …

Slide45

What Predicate is needed ?

Trace

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3

: y = ctr

pc4: assume(x = i-1)

pc5: assume(y 

i)

Trace Formula (TF)

x1

= ctr0



ctr1 =

ctr0 + 1



y1 =

ctr1



x

1 = i0

- 1



y

1 

i0

1. … after executing trace

prefix

2. … has

present values of variables3. … makes trace suffix infeasibleState… … implied by TF prefix … on common variables Predicate …

x

1x1

Slide46

What Predicate is needed ?

Trace

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3

: y = ctr

pc4: assume(x = i-1)

pc5: assume(y 

i)

Trace Formula (TF)

x1

= ctr0



ctr1 =

ctr0 + 1



y1 =

ctr1



x

1 = i0

- 1



y

1 

i0

1. … after executing trace

prefix

2. … has

present values of variables3. … makes trace suffix infeasibleState… … implied by TF prefix … on common variables … & TF suffix is unsatisfiablePredicate …

Slide47

What Predicate is needed ?

Trace

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3: y = ctr

pc

4: assume(x = i-1) pc

5: assume(y

 i)

Trace Formula (TF)

x1 = ctr0



ctr1 =

ctr0 +

1 

y1 =

ctr1

 x

1 = i

0 - 1



y1



i0

1. … after executing trace

prefix

2. … knows present values

of variables

3. … makes trace suffix infeasibleState… … implied by TF prefix … on common variables … & TF suffix is unsatisfiablePredicate …

Slide48

Craig’s Interpolation Theorem [Craig ’57]

Given formulas



-

,



+

s.t.



-



+ is unsatisfiable

There exists an Interpolant

 for -

, + , s.t.

-

implies 

 has symbols

common to -,

+  

+ is

unsatisfiable



+

 

-





Slide49

Craig’s Interpolation Theorem (take 2)

Given formulas



-

,





+

s.t

.



- implies 

+

There exists an Interpolant

 for - , +

, s.t

. -

implies

 implies

+  has symbols common

to -,

+



-





 





+

Slide50

Examples

of

Craig’s Interpolation



-

=

b  (b 

c

)



+

=

c

- =

x

1

=ctr0 

ctr

1=ctr

0+1 

y1

=ctr

1



+ = x

1=

i0

-1 

y1i

0y

1 = x

1 + 1

Slide51

Craig’s Interpolation Theorem [Craig ’57]

Given formulas



-

,



+

s.t.



-



+ is unsatisfiable

There exists an Interpolant

 for -

, + , s.t.

-

implies 

 has only symbols

common to -

, +  

+ is unsatisfiable

 computable from Proof of Unsat. of

- 

+ [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]

Slide52

Interpolant = Predicate !

1. Predicate

implied

by trace

prefix

2. Predicate on

common

variables

common =

current

value

3. Predicate &

suffix

yields a

contradiction

Require:



-



+

Interpolate



1.

-

implies 

2. 

has symbols common

to -

,+

3. 

 

+ is unsatisfiable

Interpolant:

pc

1: x = ctr

pc2: ctr = ctr + 1

pc3

: y = ctr pc4: assume(x = i-1) pc5: assume(y  i)TraceTrace Formula x1 = ctr0

 ctr1 = ctr0 + 1 

y1 = ctr1 

x1 = i0 - 1  y1  i0

Slide53

Interpolant = Predicate !

1. Predicate

implied

by trace

prefix

2. Predicate on

common

variables

3. Predicate &

suffix

yields a

contradiction

Require:



-



+

Interpolate



1.



-

implies



2. 

has symbols common to 

-,

+3.

 

+

is unsatisfiable

Interpolant:

pc1

: x = ctr

pc2

: ctr = ctr + 1

pc3: y = ctr

pc

4: assume(x = i-1) pc5: assume(y  i)TraceTrace Formula x1 = ctr0  ctr1 =

ctr0 + 1  y1 = ctr1

 x1 = i

0 - 1  y1  i0y1 = x

1 + 1

Slide54

Interpolant = Predicate !

1. Predicate

implied

by trace

prefix

2. Predicate on

common

variables

3. Predicate &

suffix

yields a

contradiction

Require:



-



+

Interpolate



1.



-

implies



2.  has symbols

common to 

-,

+3.

 Æ

+ is

unsatisfiable

Interpolant:

pc1: x = ctr

pc2: ctr = ctr + 1

pc3

: y = ctr

pc4: assume(x = i-1) pc5: assume(y  i)TraceTrace Formula x1 = ctr0 

ctr1 = ctr0 + 1  y1

= ctr1  x

1 = i0 - 1  y1  i0

Predicate at pc4:y= x+1y1 = x1 + 1

pc4

Slide55

Building Predicate Maps

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3

: y = ctr

pc4: assume(x = i-1)

pc5: assume(y  i)

Trace

Trace Formula

x

1 = ctr0



ctr1 = ctr

0 + 1



y1 = ctr

1



x1

= i0

- 1

 y1

 i

0

Cut + Interpolate at

each

pointPred. Map: pci  Interpolant from cut i-+Interpolate

x1 = ctr0Predicate Map pc2:

x= ctrpc2

Slide56

Building Predicate Maps

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3

: y = ctr

pc4

: assume(x = i-1) pc5

: assume(y 

i)

Trace

Trace Formula

x

1 = ctr0



ctr1 =

ctr0 + 1

 y

1 = ctr

1



x1

= i0

- 1



y1



i0

Cut + Interpolate at

each

point

Pred. Map: pci  Interpolant from cut i-+InterpolatePredicate Map pc

2: x = ctrpc3: x= ctr-1x1

= ctr1-1pc3

Slide57

x

1

=

ctr

0



ctr

1

=

ctr

0 +

1

 y1 =

ctr

1



x1 = i0

- 1



y1

 i

0Building Predicate Maps

pc1:

x = ctr

pc2: ctr = ctr + 1

pc3: y = ctr

pc4: assume(x = i-1)

pc5: assume(y 

i)

Trace

Trace Formula

Cut + Interpolate at

each

point

Pred. Map:

pci  Interpolant from cut i-+InterpolatePredicate Map pc

2: x = ctrpc3: x = ctr-1pc4:

y = x+1pc5: y= iy1= i

0pc5

Slide58

Building Predicate Maps

pc

1

:

x = ctr

pc

2

: ctr = ctr + 1

pc

3

: y = ctr

pc4: assume(x = i-1)

pc5: assume(y  i)

Trace

Trace Formula

x

1 = ctr0



ctr1 = ctr

0 + 1



y1 = ctr

1



x1

= i0

- 1

 y1

 i

0

Predicate Map

pc2: x = ctrpc3: x = ctr-1pc4: y = x+1pc5: y = i Theorem: Predicate map

makes trace abstractly infeasible

Slide59

Plan

Motivation

Refinement using Traces

Simple

Procedure calls

Results

Slide60

Traces with Procedure Calls

Trace Formula

i

pc

1

:

x

1

= 3

pc

2

: assume (x

1

>0)

pc

3

:

x

3

= f

1

(x

1

) pc

4: y2 = y1

pc5: y

3 = f2(y

2) pc

6: z2 = z1+1

pc7: z

3 = 2*z2

pc8: return z

3 pc

9: return y

3pc10

: x4 = x3+1

pc

11:

x5 = f3

(x4) pc12: assume(w1<5) pc13: return w1pc14: assume x4>5pc15: assume (x1=x3+2)pc1: x1 = 3pc2: assume (x

1>0)pc3: x3 = f1(x1)pc4: y2 = y

1pc5: y3 = f2(y2)pc6: z2

= z1+1pc7: z3 = 2*z2pc8: return z3pc9: return y3pc10: x4 = x3+1pc11:

x5 = f3(x4)pc12: assume(w1<5)pc13: return w

1pc14: assume x4>5pc15: assume(x1=x3+2)

Trace i

Find predicate

needed at point i

Slide61

Interprocedural Analysis

Trace Formula

i

Trace

i

Procedure Summaries

[Reps,Horwitz,Sagiv ’95]

Polymorphic Predicate Abstraction

[Ball,Millstein,Rajamani ’02]

Require at each point i

:

Well-scoped

predicates

YES

: Variables

visible

at i

NO

: Caller’s local variables

Find predicate

needed at point i

YES

NO

NO

Slide62

Problems with Cutting

Trace Formula

i

Trace

i



-



+

Caller variables

common to



-

and



+

Unsuitable interpolant: not well-scoped

Slide63

Interprocedural Cuts

Trace Formula

i

Call begins

Trace

i

Slide64

Interprocedural Cuts



-



+

Trace Formula

i

Call begins

Trace

i

Predicate at

pc

i

= Interpolant from cut i

Slide65

Common Variables

Formals

Current locals

Trace Formula

Predicate at

pc

i

= Interpolant from i-cut

i

Trace

i



-



+

Common Variables

Formals

Well-scoped

Slide66

Plan

Motivation

Refinement using Traces

Simple

Procedure calls

Results

Slide67

Implementation

Algorithms implemented in BLAST

Verifier for C programs, Lazy Abstraction

[POPL ’02]

FOCI : Interpolating decision procedure

Examples:

Windows Device Drivers (DDK)

IRP Specification: 22 state FSM

Current: Security properties of Linux programs

Slide68

Results

Program

LOC*

Previous

Time

New

Time

Predicates

Total Average

kbfiltr

12k

1m12s

3m48s

72

6.5

floppy

17k

7m10s

25m20s

240

7.7

diskperf

14k

5m36s

13m32s

140

10

cdaudio

18k

20m18s

23m51s

256

7.8

parport

61k

DNF

74m58s

753

8.1

parclass

138k

DNF

77m40s

382

7.2

Windows DDK

IRP

22 state

* Pre-processed

Slide69

Localizing works…

Program

LOC*

Previous

Time

New

Time

Predicates

Total Average

kbfiltr

12k

1m12s

3m48s

72

6.5

floppy

17k

7m10s

25m20s

240

7.7

diskperf

14k

5m36s

13m32s

140

10

cdaudio

18k

20m18s

23m51s

256

7.8

parport

61k

DNF

74m58s

753

8.1

parclass

138k

DNF

77m40s

382

7.2

Windows DDK

IRP

22 state

* Pre-processed

Slide70

Conclusion

Scalability

and

Precision by

localizing

Craig Interpolation

Interprocedural cuts give well-scoped predicates

Some Current and Future Work:

Multithreaded Programs

Project local info of thread to predicates over globals

Hierarchical trace analysis

Slide71

Limitations of CEGAR

Limited to powerset/relational abstract domains

Interpolant computations

Interactions with widening

Starting on the right foot

Unnecessary refinement steps

Long and infinite number of refinement steps

Long traces

Slide72

Unnecessary Refinements

x = 0

while (x < 10

6

) do

x = x + 1

assert x < 100

Slide73

Unsuccessful Refinement Set

x = malloc();

y = x ;

while (…)

t = malloc();

t->next = x

x = t;

…

while (x !=y) do

assert x != null;

x = x->next

Slide74

Long Traces

Example

( ) {

1

:c = 0;

2

:for(i=1;i<1000;i++)

3

: c = c + f(i);

4

:if (a>0) {

5

: if (x==0) {

ERR: ;

} }

}Assume f always terminates

ERR is reachable

a and x are unconstrainedAny feasible path to error must unroll the loop 1000 times AND find feasible paths through f

Any other path must be dismissed as a false positive

Slide75

Long Traces

Example

( ) {

1

:c = 0;

2

:for(i=1;i<1000;i++)

3

: c = c + f(i);

4

:if (a>0) {

5

: if (x==0) {

ERR: ;

} }

}Intuitively, the for loop is irrelevant

ERR

reachable as long as there exists some path from 2 to 4 that does not modify a or xCan we use static analysis to

precisely report a statement is reachable

without finding a feasible path?

Slide76

Long Traces

Example

( ) {

1

:c = 0;

2

:for(i=1;i<1000;i++)

3

: c = c + f(i);

4

:if (a>0) {

5

: if (x==0) {

ERR: ;

}

}}

c = 0

1

i = 1

2

i

¸

1000

2’

3

c = c + f(i);i++

4

2’

i<1000

a>0

x==0

5

1

4

a>0

x==0

5

Slide77

Path Slice (PLDI’05)

The

path slice

of a program path



is a subsequence of the edges of



such that if the sequence of operations along the subsequence is:

infeasible

, then

 is

infeasible, andfeasible, then the last location of 

is reachable (but not necessarily

along )