# SPIN

Document Sample

```					Symbolic Execution with Abstract
Subsumption Checking

Saswat Anand
College of Computing, Georgia Institute of Technology
Corina Păsăreanu
QSS, NASA Ames Research Center
Willem Visser
RIACS/USRA, NASA Ames Research Center
Introduction

Goal
• Error detection in programs with complex input data structures
– Unbounded state space
Approaches
• Model checking with (predicate) abstraction, shape analysis
• Over-approximations of program behavior
• Preserve true results; reported errors may be spurious
Our approach
• Symbolic execution and model checking (TACAS’03)
Contribution
• State matching to limit the searched state space
– Subsumption checking for symbolic states
– Abstractions to further reduce the searched state space
• Under-approximations of program behavior
• Preserve errors of safety properties; explore only feasible behaviors
2
Symbolic Execution

• Analysis of programs with unspecified inputs
– Execute a program on symbolic inputs
• Symbolic states represent sets of concrete states
• For each path, build a path condition
– Condition on inputs – for the execution to follow that path
– Check path condition satisfiability – explore only feasible paths
• Symbolic state
– Symbolic values/expressions for variables
– Path condition
– Program counter
3
Example – Explicit Execution

Code that swaps 2 integers   Concrete Execution Path

int x, y;                         x = 1, y = 0
if (x > y) {                      1 > 0 ? true
x = x + y;                    x=1+0=1
y = x – y;                    y=1–0=1
x = x – y;                    x=1–1=0
if (x > y)                    0 > 1 ? false
assert false;

}
4
Example – Symbolic Execution

Code that swaps 2 integers        Symbolic Execution Tree
path condition

int x, y;                         [PC:true]x = X,y = Y

if (x > y) {                        [PC:true] X > Y ?
false                    true
x = x + y;               [PC:X≤Y]END           [PC:X>Y]x= X+Y

y = x – y;                                   [PC:X>Y]y = X+Y–Y = X

x = x – y;                                   [PC:X>Y]x = X+Y–X = Y
if (x > y)                                         [PC:X>Y]Y>X ?
false                  true
assert false;                [PC:X>YY≤X]END                 [PC:X>YY>X]END
}
5
Generalized Symbolic Execution

• Handles
– Dynamically allocated data structures, arrays
– Preconditions, concurrency
• Lazy initialization for arrays and structures
• Java PathFinder (JPF) model checker used
– To generate and explore the symbolic execution tree
• Implementation via instrumentation
– Programs instrumented to enable JPF to perform symbolic
execution
– Omega library used to check satisfiability of numeric path
conditions – for linear integer constraints
6
Symbolic Execution with
Lazy Initialization
this,n                next          PC: true
V0
Code
false           true
class Node {
int elem;               Precondition:                               PC: V0 ≤ v                 PC: V0 > v END
acyclic list!
Node next;
Lazy initialization

Node find(int v) {                            this
V0
next
V1
next               this
V0
next
null END

Node n = this;                                                 n                                                  n

true
while (n != null) {     = un-initialized
false

if (n.elem > v)                                          PC: V0 ≤ v  V1 ≤ v                 PC: V0 ≤ v  V1>v END
return n;
n = n.next;
}                                                  next        next         next             this            next              next
this      V0           V1           V2                               V0            V1              null END
return null;                                                   n                                                           n

}}                                                                     …
Execution tree is infinite!
State Matching

• Symbolic state
– Represents a set of concrete states
• State matching
– Subsumption checking between symbolic states
Symbolic state S1 is subsumed by symbolic state S2 iff
set of concrete states represented by S1 
set of concrete states represented by S2

• Model checking
– Examine if a symbolic state is subsumed by previously stored symbolic state
– Continue or backtrack
• Method handles
– Un-initialized data structures (lists, trees), arrays
– Numeric constraints

8
Symbolic State

E1
left           right
E1 > E2 
E2                              E2 > E3 
left          right                    E2 < E4 
E3           E4                       E1 > E4

Heap Configuration                  Numeric Constraints

9
Subsumption for Symbolic States

Two steps (same program counter):
1. Subsumption checking for heap configurations
–   Obtained through DFS traversal of “rooted” heap configurations
•    Roots are program variables pointing to the heap
–   Unique labeling for “matched” nodes
–   Considers only the heap shape, ignores numeric data
2.   Subsumption checking for numeric constraints
–   Heap subsumption is only a pre-requisite of state subsumption
–   Check logical implication between numeric constraints
–   Existential quantifier elimination to “normalize” the constraints
•    Uses Omega library

10
Subsumption for Heap Configurations
root                                                          root

1:                                                          1:
left                right                                    left              right

2:                                                           2:
left            right       left    right                     left              right

3:           4:                                               3:           4:

root                                                           root

Unmatched!                 left             right

left               right

left           right                      left          right

11
Subsumption for Numeric Constraints

1: E1
Stored state:                    E1 > E2 
Set of concrete
2: E2         E2 > E3 
states represented
E2 ≤ E4 
by stored state
3: E3 4: E4      E1 > E4






1: E1
New state:                       E1 > E2        Set of concrete
2: E2         E2 > E3      states represented
E2 < E4         by new state
3: E3 4: E4      E1 > E4

12
Subsumption for Numeric Constraints

Existential Quantifier Elimination

1: E1:V1                        Valuation:
E1 = V1  E2 = V4  E3 = V3  E4 = V5
2: E2:V4                 V2
PC:
3: E3:V3   4: E4:V5      V6          V7      V1 < V 2  V4 > V3  V4 < V 1  V4 < V5
 V6 < V 2  V7 > V2

 V1,V2,V3,V4,V5,V6,V7:
E1 = V1  E2 = V4  E3 = V3  E4 = V5  PC

simplifies to
E1 > E2  E2 > E3  E2 < E4  E1 > E4
13
Abstract Subsumption

• Symbolic execution with subsumption checking
– Not enough to ensure termination
– An infinite number of symbolic states
• Our solution
– Abstraction
• Store abstract versions of explored symbolic states
• Subsumption checking to determine if an abstract state is re-visited
• Decide if the search should continue or backtrack
– Enables analysis of under-approximation of program behavior
– Preserves errors to safety properties
• Automated support for two abstractions:
– Shape abstraction for singly linked lists
– Shape abstraction for arrays

14
Abstractions for Lists and Arrays

• Shape abstraction for singly linked lists
– Summarize contiguous list elements not pointed to by
program variables into summary nodes
– Valuation of a summary node
• Union of valuations of summarized nodes
– Subsumption checking between abstracted states
• Same algorithm as subsumption checking for symbolic states
• Treat summary node as an “ordinary” node
• Abstraction for arrays
– Represent array as a singly linked list
– Abstraction similar to shape abstraction for linked lists

15
Abstraction for Lists

Symbolic states                                                        Abstracted states
1:              2:            3:
this          next        next        next                       this                  next          next           next
V0          V1          V2                                               V0            V1           V2
n                                                                          n

E1 = V0  E2 = V1  E3 = V2
PC: V0 ≤ v  V1 ≤ v
PC: V0 ≤ v  V1 ≤ v

Unmatched!


1:               2:                         3:
next        next        next        next                            next                           next        next
this     V0          V1          V2          V3           this               V0               { V1 , V2 }               V3
n                                                                      n

E1 = V0  (E2 = V1  E2 = V2)  E3 = V3
PC: V0 ≤ v  V1 ≤ v  V2 ≤ v
PC: V0 ≤ v  V1 ≤ v  V2 ≤ v

16
Experience

• Implementation
– Subsumption checking
– Shape abstractions for singly linked lists and arrays
• Error detection in Java programs
– List partition: 10 step counterexample
– Array partition: 30 step counterexample
• Analyzed corrected programs
– Abstraction effective in limiting the state space

17
Related Work

• Under-approximation based abstraction for property falsification
– Ball et al. [CAV’05]
• Our previous work
– Choice free search [TACAS’01]
– Concrete model checking with abstract matching and refinement
[CAV’05]
• Model driven software verification
– Use abstraction mappings during concrete model checking – Holzmann
and Joshi [SPIN’04]
• Symbolic execution
– [King’76], Symstra [TACAS’05]
• Shape analysis
– TVLA, …
18
Conclusion and Future Work

• Symbolic execution with subsumption checking
– Explores only feasible program behavior
– Handles heap structures and arrays
• Abstractions for lists and arrays
– Explore an under-approximation of feasible behavior
– Complementary to over-approximation based abstraction
• Implementation
– Uses Java PathFinder model checker
– Applied for error detection in Java programs
• Future Work
– Investigate other shape abstractions, combine with predicate abstraction
– Test input generation, property verification (rather than refutation)
– Automatic abstraction refinement, compositional analysis
19

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 9 posted: 5/8/2011 language: English pages: 19