A survey of techniques for precise program slicing - PowerPoint Presentation

Slide1

A survey of techniques for precise program slicing

Komondoor

V.

Raghavan

Indian Institute of Science, BangaloreSlide2

The problem of program slicing

Given a

program

P, and a statement c (the criterion), identify statements and conditionals in the program that are relevant to the variables that occur in cA conditional is relevant if modifying the conditional could disturb the values of the variables in c from what’s expected (on any input)A statement is relevant if modifying its rhs could disturb the values of the variables at cIntuitively, a slice is a projection of P that’s behaviorally equivalent to P wrt what’s observable at c

Raghavan Komondoor, Precise slicing

2Slide3

An example

Raghavan Komondoor, Precise slicing

3Slide4

Applications of slicing

S

oftware understanding tools

Software maintenance toolsClone detectionMerging back different variants of a programDecomposition of monolithic programs into coherent functionalities (e.g., sum-product example)Recovering independent threads from sequential programCompilers and verification toolsImproves scalability, by identifying portion of program that’s relevant to a property that needs to be checkedRaghavan Komondoor, Precise slicing4Slide5

Control flow graph

Raghavan Komondoor, Precise slicing

5Slide6

Flow dependence relation

Raghavan Komondoor, Precise slicing

6

s1 s2 ifs1 defines a variable vs2 uses vthere is a control-flow path from s1

to s2 along which

no other statement defines

vSlide7

Raghavan Komondoor, Precise slicing

7

Flow dependencesSlide8

Control dependence relation

s1

s2 ifs1 is a conditionals2 is definitely reachable along one branch out of s1there is a path along the other branch along which s2 is not reachedRaghavan Komondoor, Precise slicing8Slide9

Raghavan Komondoor, Precise slicing

9

Flow + control dependencesSlide10

Basic slicing technique

From

P

, construct flow dependence relation F and control dependence relation CObtain reflexive-transitive closure R of (F ⋃ C)Slice = { s | <s, c> in R }, where c is given criterionRaghavan Komondoor, Precise slicing

10Slide11

Raghavan Komondoor, Precise slicing

11

Illustration of slicingSlide12

Raghavan Komondoor, Precise slicing

12

Illustration of slicingSlide13

Raghavan Komondoor, Precise slicing

13

A more complex exampleSlide14

Raghavan Komondoor, Precise slicing

14

Basic technique yields imprecise sliceSlide15

Need to rule out infeasible paths

[Hong et al., ‘95] achieve this by code duplication

Take a set of predicates

Q (on program variables) as inputMake up to 2|Q| copies of each statement, one for each combination of predicate evaluationsIdentify feasible paths in this “exploded” flow graphThen, apply usual slicing technique on this exploded graphRaghavan Komondoor, Precise slicing15Slide16

Raghavan Komondoor, Precise slicing

16

Exploded flow graphSlide17

Adding edges in exploded flow graph

Raghavan Komondoor, Precise slicing

17

Edge (1) not present because in state ¬p1 x < y cannot TrueEdge (2) not present for similar reasonEdge (3) not present because:

Program in state p1 remains in same state

after executing

“x = x – 1” Slide18

Loops

Raghavan Komondoor, Precise slicing

18Slide19

Loops

Raghavan Komondoor, Precise slicing

19Slide20

Precision is closely linked to given partitioning

Raghavan Komondoor, Precise slicing

20Slide21

Precision is closely linked to given partitioning 

Raghavan Komondoor, Precise slicing

21Slide22

Summary of Hong et al.

Obtains more precise slices than standard slicing, by excluding certain infeasible paths

Handles loops cleanly

Precision is linked to given partitioning QPartitioning needs to be selected carefully, based on statements in programIn general, a bigger Q gives better precision (at the expense of slicing time)Other work exists to infer suitable Q automatically from program by iterative refinementHowever, in the context of verification, not slicingRaghavan Komondoor, Precise slicing22Slide23

An approach based on symbolic execution [Jaffar et al., ‘12]

Explodes control-flow graph by symbolically executing all possible paths in the program

Does not require

Q as inputBasic ideaDuring execution, at each pointHave a symbolic store, which tracks current values of variables as expressions on program’s initial parametersHave path constraint, which is a predicate on the initial parameters that needs to hold for path p to be feasibleIf p is s1 sn, and sn sp and sn sq, split execution into two paths s1 sp and s1 sq.

Raghavan Komondoor, Precise slicing

23Slide24

Raghavan Komondoor, Precise slicing

24

Illustration of symbolic executionSlide25

Raghavan Komondoor, Precise slicing

25

Illustration of symbolic executionSlide26

Raghavan Komondoor, Precise slicing

26

Symbolic paths

⟶ exploded flow graphSlide27

Raghavan Komondoor, Precise slicing

27

Now, perform standard slicingSlide28

Raghavan Komondoor, Precise slicing

28

Now, perform standard slicingSlide29

So what do we have …

Fully automated. Does not need partitioning

Q

.Precise even on examples like the complex one seen earlier (involving x = x + w; y = y + w;) However, problem with loopsRaghavan Komondoor, Precise slicing29Slide30

Raghavan Komondoor, Precise slicing

30

The problem with loopsSlide31

Raghavan Komondoor, Precise slicing

31

The problem with loopsSlide32

Raghavan Komondoor, Precise slicing

32

The exploded flow graphSlide33

Raghavan Komondoor, Precise slicing

33

SlicingSlide34

Raghavan Komondoor, Precise slicing

34

Imprecise slicing

Slide35

Our approach [Komondoor ‘13]

O

bjectives

Fully precise in loop-free fragments, without relying on user-provided partitioningUse user-provided partitioning only when “crossing” loop iterationsHandle programs that access and manipulate linked data structuresRaghavan Komondoor, Precise slicing35Slide36

We use PIM

What is PIM?

A graph/term representation for C programs

An equational logic and rewrite system on termsEmbodies the full concrete operational semantics of CApplicationsPrecise constrained slicingPartial evaluationRaghavan Komondoor, Precise slicing36Slide37

Example PIM term

x = 1;

y = x + 2;

if (x == 2) z = y;Raghavan Komondoor, Precise slicing37

Store cell

sequential composition

fragment

addr

@Slide38

Our notationRaghavan Komondoor, Precise slicing

x = 1

y = x + 2

x@

38Slide39

Slicing via term simplification in PIM

y = (x < 50)

y + 2;y = (x > 150) y + 1;x = x – 1;

(x

 100)

y

Criterion

@

@

y = (

false

)

y + 2

;

y = (x > 150)

y + 1;

x = x - 1;

@

@

(x

 100)

y

Raghavan Komondoor, Precise slicing

39Slide40

Summary of PIM’s approach

Convert the (program + criterion) into a store lookup

Rewrite/simplify the store lookup term

Identify subterms in the program on which simplified term is dependentThese terms constitute the sliceFully precise in loop-free fragments. No partitioning required as input.Raghavan Komondoor, Precise slicing40Slide41

Slicing a loop

while (x > n) {

y = (x < 50) y + 2; y = (x > 150) y + 1;

x = x – 1;}

(x

=

100)

y

Criterion

Raghavan Komondoor, Precise slicing

41

PIM does not terminate while computing precise sliceSlide42

Abstract lattice for given example



T

(≤ 100)(≥ 100)(= 100)(≠ 100)

Raghavan Komondoor, Precise slicing

42

(Tracks only value of x)Slide43

Iteration 1

y = (x < 50)

y + 2;y = (x > 150) y + 1;x = x – 1;

(x

=

100)

Criterion

⊨

@

y = (

false

)

y + 2

;

y = (

false

)

;

;

⊨

@

(

=

100)

y

y

(

= 100)

(1)

(2)

(≥ 100

)

y

(≥ 100

)

x

(1)

(2)

Raghavan Komondoor, Precise slicing

43

abstract weakest pre-conditionSlide44

Iteration 2

y = (x < 50)

y + 2; y = (x > 150) y + 1; x = x – 1;

(

≥

100)

y

@

(1)

(2)

(≥ 100

)

y

(≥ 100

)

x

(1)

(2)

⊨

Raghavan Komondoor, Precise slicing

44Slide45

Iteration 3

y = (x < 50)

y + 2; y = (x > 150) y + 1; x = x – 1;

(

≥

100)

x

@

(2)

(≥ 100

)

x

(2)

⊨

Raghavan Komondoor, Precise slicing

45Slide46

Final slice

Raghavan Komondoor, Precise slicing

46

while (x > n) { y = (x < 50) y + 2; y = (x > 150)

y + 1;

x = x – 1;

}

 Slide47

Our approach, at each iteration

Use abstract predicates, of the form `

s

⊨ l’, where s is a fragment and l is an element of a user-provided abstract lattice LConvert concrete guards in criteria to abstract guards at the beginning of each iterationRewrite term using extended PIM rewrite rules Then, use dependences to obtain the sliceRaghavan Komondoor, Precise slicing47Slide48

Ensuring termination

If

given lattice is

finiteAssuming no heap, finite number of addresses.Therefore, there is a bound on total number of possible abstract-guarded criteria. If lattice is finite-heightWhenever we generate a new criterion c ≡ l v, If we had previously generated a criterion l'

v

then modify

c

to

(

l

⊔

l'

)

v

.

This

also bounds the total number of possible criteria

.

Raghavan Komondoor, Precise slicing

48Slide49

Example

// x

points to a singly-linked

// listy = null;while (x.d != k) { t = y; y = x; x = x.next;

y.next

= t;

}

c

b

a

d

e

f

y

x

c

b

a

d

e

f

y

x

after iteration

x

Raghavan Komondoor, Precise slicing

49

@Slide50

Another example

Raghavan Komondoor, Precise slicing

50

if (x % 2 == 1) z = z + 1;while (x < n) x = x + 2;if (x % 2 == 0) y = z + 2;

y

@Slide51

Summary of our approach

Fully precise slicing in loop-free fragments

Slicing of loops: Precision linked to user-provided lattice

We address loops that traverse heap structuresSupport partial evaluation alsoTechnical contributionIntegrate abstract interpretation with term rewritingMay be useful in other applications where term rewriting is used Raghavan Komondoor, Precise slicing51