190 likes | 334 Views
Symbolic Execution with Abstract Subsumption Checking. Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames Research Center Willem Visser RIACS/USRA, NASA Ames Research Center. Introduction. Goal
E N D
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames Research Center Willem Visser RIACS/USRA, NASA Ames Research Center
Introduction Goal • Error detection in programs with complex input data structures • Unbounded state space Approaches • Model checking with (predicate) abstraction, shape analysis • Over-approximations of program behavior • Preserve true results; reported errors may be spurious Our approach • Symbolic execution and model checking (TACAS’03) Contribution • State matching to limit the searched state space • Subsumption checking for symbolic states • Abstractions to further reduce the searched state space • Under-approximations of program behavior • Preserve errors of safety properties; explore only feasible behaviors
Symbolic Execution • Analysis of programs with unspecified inputs • Execute a program on symbolic inputs • Symbolic states represent sets of concrete states • For each path, build a path condition • Condition on inputs – for the execution to follow that path • Check path condition satisfiability – explore only feasible paths • Symbolic state • Symbolic values/expressions for variables • Path condition • Program counter
Example – Explicit Execution Code that swaps 2 integers Concrete Execution Path int x, y; if(x > y) { x = x + y; y = x – y; x = x – y; if(x > y) assert false; } x = 1, y = 0 1 > 0 ? true x = 1 + 0 = 1 y = 1 – 0 = 1 x = 1 – 1 = 0 0 > 1 ? false
path condition [PC:X>Y]x = X+Y–X = Y Example – Symbolic Execution Code that swaps 2 integers Symbolic Execution Tree int x, y; if (x > y) { x = x + y; y = x – y; x = x – y; if (x > y) assert false; } [PC:true]x = X,y = Y [PC:true] X > Y ? true false [PC:X≤Y]END [PC:X>Y]x= X+Y [PC:X>Y]y = X+Y–Y = X [PC:X>Y]Y>X ? false true [PC:X>YY>X]END [PC:X>YY≤X]END
Generalized Symbolic Execution • Handles • Dynamically allocated data structures, arrays • Preconditions, concurrency • Lazy initialization for arrays and structures • Java PathFinder (JPF) model checker used • To generate and explore the symbolic execution tree • Implementation via instrumentation • Programs instrumented to enable JPF to perform symbolic execution • Omega library used to check satisfiability of numeric path conditions – for linear integer constraints
next PC: true this,n V0 true false PC: V0 ≤ v PC: V0 > v END Precondition: acyclic list! Lazy initialization next this this END V0 null n true false PC: V0 ≤ v V1 ≤ v PC: V0 ≤ v V1>v END next next V0 V1 this n next next next next next this END V0 V1 V2 V0 V1 null … n n Execution tree is infinite! = un-initialized Symbolic Execution with Lazy Initialization Code class Node { int elem; Node next; Node find(int v) { Node n = this; while (n != null) { if (n.elem > v) return n; n = n.next; } return null; } }
State Matching • Symbolic state • Represents a set of concrete states • State matching • Subsumption checking between symbolic states Symbolic state S1 is subsumed by symbolic state S2 iff set of concrete states represented by S1 set of concrete states represented by S2 • Model checking • Examine if a symbolic state is subsumed by previously stored symbolic state • Continue or backtrack • Method handles • Un-initialized data structures (lists, trees), arrays • Numeric constraints
Symbolic State E1 right left E1 > E2 E2 > E3 E2 < E4 E1 > E4 E2 left right E3 E4 Heap Configuration Numeric Constraints
Subsumption for Symbolic States Two steps (same program counter): • Subsumption checking for heap configurations • Obtained through DFS traversal of “rooted” heap configurations • Roots are program variables pointing to the heap • Unique labeling for “matched” nodes • Considers only the heap shape, ignores numeric data • Subsumption checking for numeric constraints • Heap subsumption is only a pre-requisite of state subsumption • Check logical implication between numeric constraints • Existential quantifier elimination to “normalize” the constraints • Uses Omega library
1: 1: 2: 2: 3: 3: 4: 4: root root Unmatched! left right left right left right left right Subsumption for Heap Configurations root root right left right left left right right left right left
Subsumption for Numeric Constraints 1: E1 Stored state: E1 > E2 E2 > E3 E2≤ E4 E1> E4 Set of concrete states represented by stored state 2: E2 3: E3 4: E4 1: E1 E1 > E2 E2 > E3 E2 < E4 E1> E4 New state: Set of concrete states represented by new state 2: E2 3: E3 4: E4
V1,V2,V3,V4,V5,V6,V7: E1 = V1 E2 = V4 E3 = V3 E4 = V5 PC simplifies to E1 > E2 E2 > E3 E2 < E4 E1> E4 Subsumption for Numeric Constraints Existential Quantifier Elimination 1: E1:V1 Valuation: E1 = V1 E2 = V4 E3 = V3 E4 = V5 PC: V1 < V2 V4 > V3 V4 < V1 V4 < V5 V6 < V2 V7 > V2 2: E2:V4 V2 3: E3:V3 4: E4:V5 V6 V7
Abstract Subsumption • Symbolic execution with subsumption checking • Not enough to ensure termination • An infinite number of symbolic states • Our solution • Abstraction • Store abstract versions of explored symbolic states • Subsumption checking to determine if an abstract state is re-visited • Decide if the search should continue or backtrack • Enables analysis of under-approximation of program behavior • Preserves errors to safety properties • Automated support for two abstractions: • Shape abstraction for singly linked lists • Shape abstraction for arrays
Abstractions for Lists and Arrays • Shape abstraction for singly linked lists • Summarize contiguous list elements not pointed to by program variables into summary nodes • Valuation of a summary node • Union of valuations of summarized nodes • Subsumption checking between abstracted states • Same algorithm as subsumption checking for symbolic states • Treat summary node as an “ordinary” node • Abstraction for arrays • Represent array as a singly linked list • Abstraction similar to shape abstraction for linked lists
next next next next next next this this V0 V0 V1 V1 V2 V2 next next next next next this V0 V1 V3 V2 V3 n n n n next next this V0 { V1 , V2 } Abstraction for Lists Symbolic states Abstracted states 1: 2: 3: E1 = V0 E2 = V1 E3 = V2 PC: V0 ≤ v V1 ≤ v PC: V0 ≤ v V1 ≤ v Unmatched! 1: 2: 3: E1 = V0 (E2 = V1 E2 = V2) E3 = V3 PC: V0 ≤ v V1 ≤ v V2 ≤ v PC: V0 ≤ v V1 ≤ v V2 ≤ v
Experience • Implementation • Subsumption checking • Shape abstractions for singly linked lists and arrays • Error detection in Java programs • List partition: 10 step counterexample • Array partition: 30 step counterexample • Analyzed corrected programs • Abstraction effective in limiting the state space
Related Work • Under-approximation based abstraction for property falsification • Ball et al. [CAV’05] • Our previous work • Choice free search [TACAS’01] • Concrete model checking with abstract matching and refinement [CAV’05] • Model driven software verification • Use abstraction mappings during concrete model checking – Holzmann and Joshi [SPIN’04] • Symbolic execution • [King’76], Symstra [TACAS’05] • Shape analysis • TVLA, …
Conclusion and Future Work • Symbolic execution with subsumption checking • Explores only feasible program behavior • Handles heap structures and arrays • Abstractions for lists and arrays • Explore an under-approximation of feasible behavior • Complementary to over-approximation based abstraction • Implementation • Uses Java PathFinder model checker • Applied for error detection in Java programs • Future Work • Investigate other shape abstractions, combine with predicate abstraction • Test input generation, property verification (rather than refutation) • Automatic abstraction refinement, compositional analysis