Docstoc

SPIN

Document Sample
SPIN Powered By Docstoc
					Symbolic Execution with Abstract
    Subsumption Checking

                       Saswat Anand
     College of Computing, Georgia Institute of Technology
                      Corina Păsăreanu
              QSS, NASA Ames Research Center
                       Willem Visser
          RIACS/USRA, NASA Ames Research Center
                                Introduction

Goal
• Error detection in programs with complex input data structures
    – Unbounded state space
Approaches
• Model checking with (predicate) abstraction, shape analysis
• Over-approximations of program behavior
• Preserve true results; reported errors may be spurious
Our approach
• Symbolic execution and model checking (TACAS’03)
Contribution
• State matching to limit the searched state space
    – Subsumption checking for symbolic states
    – Abstractions to further reduce the searched state space
• Under-approximations of program behavior
• Preserve errors of safety properties; explore only feasible behaviors
                                                                          2
                    Symbolic Execution

• Analysis of programs with unspecified inputs
   – Execute a program on symbolic inputs
• Symbolic states represent sets of concrete states
• For each path, build a path condition
   – Condition on inputs – for the execution to follow that path
   – Check path condition satisfiability – explore only feasible paths
• Symbolic state
   – Symbolic values/expressions for variables
   – Path condition
   – Program counter
                                                                    3
                 Example – Explicit Execution

Code that swaps 2 integers   Concrete Execution Path

int x, y;                         x = 1, y = 0
if (x > y) {                      1 > 0 ? true
    x = x + y;                    x=1+0=1
    y = x – y;                    y=1–0=1
    x = x – y;                    x=1–1=0
    if (x > y)                    0 > 1 ? false
     assert false;

}
                                                       4
                 Example – Symbolic Execution

Code that swaps 2 integers        Symbolic Execution Tree
                                          path condition

int x, y;                         [PC:true]x = X,y = Y

if (x > y) {                        [PC:true] X > Y ?
                                  false                    true
    x = x + y;               [PC:X≤Y]END           [PC:X>Y]x= X+Y

    y = x – y;                                   [PC:X>Y]y = X+Y–Y = X

    x = x – y;                                   [PC:X>Y]x = X+Y–X = Y
    if (x > y)                                         [PC:X>Y]Y>X ?
                                               false                  true
     assert false;                [PC:X>YY≤X]END                 [PC:X>YY>X]END
}
                                                                              5
       Generalized Symbolic Execution

• Handles
   – Dynamically allocated data structures, arrays
   – Preconditions, concurrency
• Lazy initialization for arrays and structures
• Java PathFinder (JPF) model checker used
   – To generate and explore the symbolic execution tree
• Implementation via instrumentation
   – Programs instrumented to enable JPF to perform symbolic
     execution
   – Omega library used to check satisfiability of numeric path
     conditions – for linear integer constraints
                                                              6
                         Symbolic Execution with
                           Lazy Initialization
                                                         this,n                next          PC: true
                                                                          V0
Code
                                                                      false           true
class Node {
  int elem;               Precondition:                               PC: V0 ≤ v                 PC: V0 > v END
                           acyclic list!
  Node next;
                                                                                             Lazy initialization


 Node find(int v) {                            this
                                                             V0
                                                                  next
                                                                          V1
                                                                               next               this
                                                                                                                V0
                                                                                                                     next
                                                                                                                              null END

   Node n = this;                                                 n                                                  n

                                                                                      true
   while (n != null) {     = un-initialized
                                                                      false

     if (n.elem > v)                                          PC: V0 ≤ v  V1 ≤ v                 PC: V0 ≤ v  V1>v END
        return n;
     n = n.next;
   }                                                  next        next         next             this            next              next
                                      this      V0           V1           V2                               V0            V1              null END
   return null;                                                   n                                                           n

 }}                                                                     …
                                              Execution tree is infinite!
                            State Matching


• Symbolic state
   – Represents a set of concrete states
• State matching
   – Subsumption checking between symbolic states
      Symbolic state S1 is subsumed by symbolic state S2 iff
               set of concrete states represented by S1 
               set of concrete states represented by S2

• Model checking
   – Examine if a symbolic state is subsumed by previously stored symbolic state
   – Continue or backtrack
• Method handles
   – Un-initialized data structures (lists, trees), arrays
   – Numeric constraints

                                                                                   8
                              Symbolic State



               E1
       left           right
                                       E1 > E2 
       E2                              E2 > E3 
left          right                    E2 < E4 
 E3           E4                       E1 > E4

Heap Configuration                  Numeric Constraints




                                                          9
             Subsumption for Symbolic States


Two steps (same program counter):
1. Subsumption checking for heap configurations
     –   Obtained through DFS traversal of “rooted” heap configurations
         •    Roots are program variables pointing to the heap
     –   Unique labeling for “matched” nodes
     –   Considers only the heap shape, ignores numeric data
2.   Subsumption checking for numeric constraints
     –   Heap subsumption is only a pre-requisite of state subsumption
     –   Check logical implication between numeric constraints
     –   Existential quantifier elimination to “normalize” the constraints
         •    Uses Omega library

                                                                             10
              Subsumption for Heap Configurations
             root                                                          root

                    1:                                                          1:
              left                right                                    left              right

       2:                                                           2:
     left            right       left    right                     left              right

3:           4:                                               3:           4:



            root                                                           root

                                                 Unmatched!                 left             right
                                                   
             left               right


                         left           right                      left          right



                                                                                                     11
                Subsumption for Numeric Constraints


                        1: E1
Stored state:                    E1 > E2 
                                                 Set of concrete
                   2: E2         E2 > E3 
                                               states represented
                                 E2 ≤ E4 
                                                 by stored state
                3: E3 4: E4      E1 > E4




                                 




                                                    
                        


                        1: E1
New state:                       E1 > E2        Set of concrete
                   2: E2         E2 > E3      states represented
                                 E2 < E4         by new state
                3: E3 4: E4      E1 > E4


                                                              12
             Subsumption for Numeric Constraints


                       Existential Quantifier Elimination

             1: E1:V1                        Valuation:
                                             E1 = V1  E2 = V4  E3 = V3  E4 = V5
     2: E2:V4                 V2
                                             PC:
3: E3:V3   4: E4:V5      V6          V7      V1 < V 2  V4 > V3  V4 < V 1  V4 < V5
                                              V6 < V 2  V7 > V2


                                    V1,V2,V3,V4,V5,V6,V7:
                      E1 = V1  E2 = V4  E3 = V3  E4 = V5  PC

                                     simplifies to
                        E1 > E2  E2 > E3  E2 < E4  E1 > E4
                                                                                       13
                   Abstract Subsumption


• Symbolic execution with subsumption checking
   – Not enough to ensure termination
   – An infinite number of symbolic states
• Our solution
   – Abstraction
       • Store abstract versions of explored symbolic states
       • Subsumption checking to determine if an abstract state is re-visited
       • Decide if the search should continue or backtrack
   – Enables analysis of under-approximation of program behavior
   – Preserves errors to safety properties
• Automated support for two abstractions:
   – Shape abstraction for singly linked lists
   – Shape abstraction for arrays

                                                                                14
       Abstractions for Lists and Arrays


• Shape abstraction for singly linked lists
   – Summarize contiguous list elements not pointed to by
     program variables into summary nodes
   – Valuation of a summary node
      • Union of valuations of summarized nodes
   – Subsumption checking between abstracted states
      • Same algorithm as subsumption checking for symbolic states
      • Treat summary node as an “ordinary” node
• Abstraction for arrays
   – Represent array as a singly linked list
   – Abstraction similar to shape abstraction for linked lists

                                                                     15
                                             Abstraction for Lists

           Symbolic states                                                        Abstracted states
                                                                              1:              2:            3:
this          next        next        next                       this                  next          next           next
         V0          V1          V2                                               V0            V1           V2
                          n                                                                          n

                                                                                   E1 = V0  E2 = V1  E3 = V2
       PC: V0 ≤ v  V1 ≤ v
                                                                                   PC: V0 ≤ v  V1 ≤ v




               Unmatched!




                                                                                          
                                                                        1:               2:                         3:
              next        next        next        next                            next                           next        next
this     V0          V1          V2          V3           this               V0               { V1 , V2 }               V3
                                      n                                                                      n


                                                                                   E1 = V0  (E2 = V1  E2 = V2)  E3 = V3
       PC: V0 ≤ v  V1 ≤ v  V2 ≤ v
                                                                                   PC: V0 ≤ v  V1 ≤ v  V2 ≤ v


                                                                                                                                    16
                        Experience


• Implementation
   – Subsumption checking
   – Shape abstractions for singly linked lists and arrays
• Error detection in Java programs
   – List partition: 10 step counterexample
   – Array partition: 30 step counterexample
• Analyzed corrected programs
   – Abstraction effective in limiting the state space

                                                             17
                             Related Work

• Under-approximation based abstraction for property falsification
   – Ball et al. [CAV’05]
• Our previous work
   – Choice free search [TACAS’01]
   – Concrete model checking with abstract matching and refinement
     [CAV’05]
• Model driven software verification
   – Use abstraction mappings during concrete model checking – Holzmann
     and Joshi [SPIN’04]
• Symbolic execution
   – [King’76], Symstra [TACAS’05]
• Shape analysis
   – TVLA, …
                                                                          18
             Conclusion and Future Work

• Symbolic execution with subsumption checking
   – Explores only feasible program behavior
   – Handles heap structures and arrays
• Abstractions for lists and arrays
   – Explore an under-approximation of feasible behavior
   – Complementary to over-approximation based abstraction
• Implementation
   – Uses Java PathFinder model checker
   – Applied for error detection in Java programs
• Future Work
   – Investigate other shape abstractions, combine with predicate abstraction
   – Test input generation, property verification (rather than refutation)
   – Automatic abstraction refinement, compositional analysis
                                                                            19

				
DOCUMENT INFO