Symbolic Computation via Program Transformation
|
|
- Ursula Osborne
- 5 years ago
- Views:
Transcription
1 Symbolic Computation via Program Transformation Henrich Lauko, Petr Ročkai and Jiří Barnat Masaryk University Brno, Czech Republic
2 Symbolic Computation Motivation verify programs with inputs from the environment bolic execution, concolic testing, test generation etc. 1 / 16
3 Symbolic Computation Interpretation-based static dynamic llvm linked bc. program bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16
4 Symbolic Computation Interpretation-based static dynamic llvm program linked bc. 1 a input() 2 if (a > 0) 3 b a else 5 b a - 1 bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16
5 Symbolic Computation Interpretation-based static dynamic llvm program linked bc. 1 a input() [true] 2 if (a > 0) 3 b a else 5 b a - 1 bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16
6 Symbolic Computation Interpretation-based static dynamic llvm program linked bc. 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a else 5 b a - 1 bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16
7 Symbolic Computation llvm Interpretation-based static linked bc. bitcode C program extract yes/no dynamic program VM transitions sat? MC smt solver 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a + 1 [a > 0 b = a + 1] 4 else 5 b a / 16
8 Symbolic Computation llvm Interpretation-based static linked bc. bitcode C program extract yes/no dynamic program VM transitions sat? MC smt solver 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a + 1 [a > 0 b = a + 1] 4 else 5 b a - 1 [a 0 b = a 1] 2 / 16
9 Symbolic Computation llvm Interpretation-based static linked bc. bitcode C program extract yes/no dynamic program VM transitions sat? MC smt solver 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a + 1 [a > 0 b = a + 1] 4 else 5 b a - 1 [a 0 b = a 1] multiple possible paths maintained in interpreter program does not know about bolic values 2 / 16
10 Proposed Symbolic Computation llvm Interpretation-based static linked bc. dynamic program llvm Compilation-based static linked bc. dynamic program bitcode C program extract yes/no VM transitions sat? MC smt solver instrumented bitcode instrum. bitcode C program extract yes/no VM transitions sat? MC smt solver 3 / 16
11 Proposed Symbolic Computation llvm Interpretation-based static linked bc. dynamic program llvm Compilation-based static linked bc. dynamic program bitcode C program extract yes/no VM transitions sat? MC smt solver instrumented bitcode instrum. bitcode C program extract yes/no VM transitions sat? MC smt solver Motivation: minimize complexity of the verification tool 3 / 16
12 Proposed Symbolic Computation 1 a input() 2 if (a > 0) 3 b a else 5 b a a _input() 2 if (_gt(a, 0)) 3 b _add(a, 1) 4 else 5 b _sub(a, 1) llvm Compilation-based static linked bc. instrumented bitcode bitcode instrum. C program Motivation: minimize complexity of the verification tool extract yes/no dynamic program VM transitions sat? MC smt solver 3 / 16
13 Goals 1 mixing of explicit and bolic computation 4 / 16
14 Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 4 / 16
15 Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 3 impose minimal run-time overhead 4 / 16
16 Transformation 5 / 16
17 Transformation of Program 1 syntactically abstract the input program x:int input() y:int factorial(7) z:int x + y b:bool z < 0 x: a_int lift(*) y: int factorial(7) z: a_int a_add(x, lift(y)) b: a_bool a_lt(z, lift(0)) 6 / 16
18 Transformation of Program 1 syntactically abstract the input program x:int input() y:int factorial(7) z:int x + y b:bool z < 0 transform instructions, types, functions preserve concrete computation lift concrete values x: a_int lift(*) y: int factorial(7) z: a_int a_add(x, lift(y)) b: a_bool a_lt(z, lift(0)) 6 / 16
19 Transformation of Program 1 syntactically abstract the input program x:int input() y:int factorial(7) z:int x + y b:bool z < 0 transform instructions, types, functions preserve concrete computation lift concrete values 2 concretely realize abstraction x: _int lift(*) y: int factorial(7) z: _int _add(x, lift(y)) b: _bool _lt(z, lift(0)) x: a_int lift(*) y: int factorial(7) z: a_int a_add(x, lift(y)) b: a_bool a_lt(z, lift(0)) replace abstract calls with provided implementation 6 / 16
20 Control Flow of Symbolic Program Problem: constrained values by control flow x: int input() cond: bool x < 0 if (cond) y: int x + 1 else... both paths can happen x is not constrained 7 / 16
21 Control Flow of Symbolic Program Problem: constrained values by control flow x: int input() cond: bool x < 0 if (cond) y: int x + 1 else... both paths can happen x is not constrained Solution: instrument constraint propagation x: _int lift(*) cond: _bool _lt(x, 0) if (*) // nondeterministic x': _int assume(cond) y : _int _add(x', 1) else x': _int assume(!cond)... assumes extend a path condition 7 / 16
22 Types in the Symbolic Program Problem: how to deal with aggregate types? arr: int[] [1, 2, 3] arr[1]: int input() we want to minimize the number of bolic values 8 / 16
23 Types in the Symbolic Program Problem: how to deal with aggregate types? arr: int[] [1, 2, 3] arr[1]: int input() we want to minimize the number of bolic values Solution: use discriminated union type realize abstract value as union of concrete and bolic value arr: union[] [1, 2, 3] // either int or _int arr[1]: union lift(*) similarly deal with recursive structures 8 / 16
24 Function Calls Problem: how to transform functions with bolic arguments? int foo(a: int, b: int, c: int) 9 / 16
25 Function Calls Problem: how to transform functions with bolic arguments? int foo(a: int, b: int, c: int) may produce exponentially many duplicates: int foo(a: _int, b: int, c: int) int foo(a: int, b: _int, c: int) int foo(a: int, b: int, c: _int) int foo(a: _int, b: _int, c: int)... resolve return type 9 / 16
26 Function Calls Problem: how to transform functions with bolic arguments? int foo(a: int, b: int, c: int) may produce exponentially many duplicates: int foo(a: _int, b: int, c: int) int foo(a: int, b: _int, c: int) int foo(a: int, b: int, c: _int) int foo(a: _int, b: _int, c: int)... resolve return type Solution: static analysis + use discriminated union union foo(a: union, b: union, c: int) 9 / 16
27 Symbolic Runtime 10 / 16
28 Data Representation Symbolic execution: a: pointer malloc() w: _int lift(*) x: _int lift(*) y: _int _add(w, x) z: _int _mul(y, 7) store z a z y x? 2 +? 1 7 a w 11 / 16
29 Data Representation Symbolic execution: a: pointer malloc() w: _int lift(*) x: _int lift(*) y: _int _add(w, x) z: _int _mul(y, 7) store z a z y x? 2 +? 1 7 a w Branching example: x : _int lift(*) if (*) // nondeterministic x': _int assume(x < 10) y : _int _add(x', 1) else x': _int assume(x >= 10) y : _int _sub(x', 1) y 1 x y 2 + x < 10 true x 10 1? 1 11 / 16
30 Data Representation II. Cycle example: x : _int lift(*) for i: int x: _int _add(x, 1) x 3 x 2 x 1 + +? / 16
31 Symbolic Verification Algorithm llvm static linked bc. instrumented bitcode bitcode instrum. C program extract yes/no dynamic program VM transitions sat? MC smt solver Required support in a tool: nondeterminism feasibility check equality check values metadata Simpler domains do not even need SMT support (sign domain). 13 / 16
32 Results Integrated with DIVINE model checker: LLVM-to-LLVM transformation STP SMT solver 14 / 16
33 Results Integrated with DIVINE model checker: LLVM-to-LLVM transformation STP SMT solver Component sizes: (lines of code) DIVINE* KLEE SymDIVINE CBMC bolic support shared code reduced complexity of verification tool 14 / 16
34 Results SV-COMP Benchmarks: tag total DIVINE* SymDIVINE CBMC array bitvector loops product-lines pthread recursion systemc total / 16
35 Conclusion Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 3 impose minimal run-time overhead 16 / 16
36 Conclusion Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 3 impose minimal run-time overhead Summary introduced compilation-based bolic verification generalized approach to the abstraction of programs 16 / 16
Context-Switch-Directed Verification in DIVINE
Context-Switch-Directed Verification in DIVINE MEMICS 2014 Vladimír Štill Petr Ročkai Jiří Barnat Faculty of Informatics Masaryk University, Brno October 18, 2014 Vladimír Štill et al. Context-Switch-Directed
More informationModel Checking of C and C++ with DIVINE 4
Model Checking of C and C++ with DIVINE 4 Zuzana Baranová, Jiří Barnat, Katarína Kejstová, Tadeáš Kučera, Henrich Lauko, Jan Mrázek, Petr Ročkai, Vladimír Štill Faculty of Informatics, Masaryk University
More information}w!"#$%&'()+,-./012345<ya
Masaryk University Faculty of Informatics }w!"#$%&'()+,-./012345
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationn HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!
Announcements SMT Solvers, Symbolic Execution n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week! n Presentations n Some of
More informationModel Checking Parallel Programs with Inputs
Model Checking Parallel Programs with Inputs Jiří Barnat, Petr Bauch and Vojtěch Havel 12 February 2014 Barnat et. al. (ParaDiSe) Control Explicit Data Symbolic 1 / 23 Motivation: Parallel Software Verification
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationUsing Off-the-Shelf Exception Support Components in C++ Verification
Using Off-the-Shelf Exception Support Components in C++ Verification Vladimír Štill Faculty of Informatics, Masaryk University Brno, Czech Republic Email: xstill@fi.muni.cz Petr Ročkai Faculty of Informatics,
More informationMEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto,
More informationarxiv: v1 [cs.se] 31 May 2018
From Model Checking to Runtime Verification and Back Katarína Kejstová, Petr Ročkai, and Jiří Barnat arxiv:1805.12428v1 [cs.se] 31 May 2018 Faculty of Informatics, Masaryk University Brno, Czech Republic
More informationCombining Static and Dynamic Contract Checking for Curry
Michael Hanus (CAU Kiel) Combining Static and Dynamic Contract Checking for Curry LOPSTR 2017 1 Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel Programming Languages
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationDART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley
DAR: Directed Automated Random esting CUE: Concolic Unit esting Engine Slide Source: Koushik Sen from Berkeley Verification and esting We would like to prove programs correct Verification and esting We
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationImproving Program Testing and Understanding via Symbolic Execution
Improving Program Testing and Understanding via Symbolic Execution Kin-Keung Ma PhD Dissertation Defense December 9 th, 2011 Motivation } Every year, billions of dollars are lost due to software system
More informationHigh-performance defunctionalization in Futhark
1 High-performance defunctionalization in Futhark Anders Kiel Hovgaard Troels Henriksen Martin Elsman Department of Computer Science University of Copenhagen (DIKU) Trends in Functional Programming, 2018
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationProgram Analysis and Constraint Programming
Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization
More informationcs242 Kathleen Fisher Reading: Concepts in Programming Languages, Chapter 6 Thanks to John Mitchell for some of these slides.
cs242 Kathleen Fisher Reading: Concepts in Programming Languages, Chapter 6 Thanks to John Mitchell for some of these slides. We are looking for homework graders. If you are interested, send mail to cs242cs.stanford.edu
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationTapir: a language for verified OS kernel probes
Tapir: a language for verified OS kernel probes Ilya Yanok, Nathaniel Nystrom 4 Oct 2015 Motivation System debugging and tuning Systems are large and complex Problems often occur only after deployment
More informationCOMP 181. Agenda. Midterm topics. Today: type checking. Purpose of types. Type errors. Type checking
Agenda COMP 181 Type checking October 21, 2009 Next week OOPSLA: Object-oriented Programming Systems Languages and Applications One of the top PL conferences Monday (Oct 26 th ) In-class midterm Review
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationContext-Switch-Directed Verification in DIVINE
Context-Switch-Directed Verification in DIVINE Vladimír Štill, Petr Ročkai, and Jiří Barnat Faculty of Informatics, Masaryk University Brno, Czech Republic {xstill,xrockai,barnat}@fi.muni.cz Abstract.
More informationTrickle: Automated Infeasible Path
Trickle: Automated Infeasible Path Detection Using All Minimal Unsatisfiable Subsets Bernard Blackham, Mark Liffiton, Gernot Heiser School of Computer Science & Engineering, UNSW Software Systems Research
More informationSection 9: Compiling Constraints
Section 9: Compiling Constraints In this section, we will practice compiling 401 CP programs into SAT. 401 CP is an extension of our 401 language. It has the following additional constructs which allow
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationVerifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China
Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion
More informationType Assisted Synthesis of Programs with Algebraic Data Types
Type Assisted Synthesis of Programs with Algebraic Data Types Jeevana Priya Inala MIT Collaborators: Xiaokang Qiu (MIT), Ben Lerner (Brown), Armando Solar-Lezama (MIT) Example - Desugaring a simple language
More informationQemu code fault automatic discovery with symbolic search. Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch
More informationPutting the Checks into Checked C. Archibald Samuel Elliott Quals - 31st Oct 2017
Putting the Checks into Checked C Archibald Samuel Elliott Quals - 31st Oct 2017 Added Runtime Bounds Checks to the Checked C Compiler 2 C Extension for Spatial Memory Safety Added Runtime Bounds Checks
More informationABC basics (compilation from different articles)
1. AIG construction 2. AIG optimization 3. Technology mapping ABC basics (compilation from different articles) 1. BACKGROUND An And-Inverter Graph (AIG) is a directed acyclic graph (DAG), in which a node
More informationSMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva
SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given
More informationMemory Safety for Embedded Devices with nescheck
Memory Safety for Embedded Devices with nescheck Daniele MIDI, Mathias PAYER, Elisa BERTINO Purdue University AsiaCCS 2017 Ubiquitous Computing and Security Sensors and WSNs are pervasive Small + cheap
More informationAccelerating Stateflow With LLVM
Accelerating Stateflow With LLVM By Dale Martin Dale.Martin@mathworks.com 2015 The MathWorks, Inc. 1 What is Stateflow? A block in Simulink, which is a graphical language for modeling algorithms 2 What
More informationarxiv: v1 [cs.pl] 20 Nov 2017
SMT Queries Decomposition and Caching in Semi-Symbolic Model Checking Jan Mrázek Masaryk University Brno, Czech Republic xmrazek7@fi.muni.cz Martin Jonáš Masaryk University Brno, Czech Republic xjonas@fi.muni.cz
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationBEAMJIT: An LLVM based just-in-time compiler for Erlang. Frej Drejhammar
BEAMJIT: An LLVM based just-in-time compiler for Erlang Frej Drejhammar 140407 Who am I? Senior researcher at the Swedish Institute of Computer Science (SICS) working on programming languages,
More informationCMSC 430 Introduction to Compilers. Fall Symbolic Execution
CMSC 430 Introduction to Compilers Fall 2015 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good
More informationESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer
ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC: SMT-based BMC of single- and multi-threaded software exploits SMT solvers and their
More informationType checking of statements We change the start rule from P D ; E to P D ; S and add the following rules for statements: S id := E
Type checking of statements We change the start rule from P D ; E to P D ; S and add the following rules for statements: S id := E if E then S while E do S S ; S Type checking of statements The purpose
More informationCSE 504: Compiler Design. Runtime Environments
Runtime Environments Pradipta De pradipta.de@sunykorea.ac.kr Current Topic Procedure Abstractions Mechanisms to manage procedures and procedure calls from compiler s perspective Runtime Environment Choices
More informationBlock-wise abstract interpretation by combining abstract domains with SMT
Block-wise abstract interpretation by combining abstract domains with SMT Jiahong Jiang, Liqian Chen, Xueguang Wu, Ji Wang National University of Defense Technology, China 01/16/2017 VMCAI 2017 Overview
More informationMotivation for typed languages
Motivation for typed languages Untyped Languages: perform any operation on any data. Example: Assembly movi 5 r0 // Move integer 5 (some representation) to r0 addf 3.6 r0 // Treat bit representation in
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationYices 1.0: An Efficient SMT Solver
Yices 1.0: An Efficient SMT Solver AFM 06 Tutorial Leonardo de Moura (joint work with Bruno Dutertre) {demoura, bruno}@csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An
More informationAssignment 4: Semantics
Assignment 4: Semantics 15-411: Compiler Design Jan Hoffmann Jonathan Burns, DeeDee Han, Anatol Liu, Alice Rao Due Thursday, November 3, 2016 (9:00am) Reminder: Assignments are individual assignments,
More informationBuilding Program Verifiers from Compilers and Theorem Provers
Building Program Verifiers from Compilers and Theorem Provers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel based on joint work with Teme Kahsai, Jorge A.
More informationRecursion. What is Recursion? Simple Example. Repeatedly Reduce the Problem Into Smaller Problems to Solve the Big Problem
Recursion Repeatedly Reduce the Problem Into Smaller Problems to Solve the Big Problem What is Recursion? A problem is decomposed into smaller sub-problems, one or more of which are simpler versions of
More informationTargeting LLVM IR. LLVM IR, code emission, assignment 4
Targeting LLVM IR LLVM IR, code emission, assignment 4 LLVM Overview Common set of tools & optimizations for compiling many languages to many architectures (x86, ARM, PPC, ASM.js). Integrates AOT & JIT
More informationImplementing the C++ Core Guidelines Lifetime Safety Profile in Clang
Implementing the C++ Core Guidelines Lifetime Safety Profile in Clang Matthias Gehre gehre@silexica.com Gábor Horváth xazax.hun@gmail.com 1 Agenda Motivation Whirlwind tour of lifetime analysis See the
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationHandout 2 August 25, 2008
CS 502: Compiling and Programming Systems Handout 2 August 25, 2008 Project The project you will implement will be a subset of Standard ML called Mini-ML. While Mini- ML shares strong syntactic and semantic
More informationSemantics-Based Program Verifiers for All Languages
Language-independent Semantics-Based Program Verifiers for All Languages Andrei Stefanescu Daejun Park Shijiao Yuwen Yilong Li Grigore Rosu Nov 2, 2016 @ OOPSLA 16 Problems with state-of-the-art verifiers
More informationSimple Unification-based Type Inference for GADTs
Simple Unification-based Type Inference for GADTs Stephanie Weirich University of Pennsylvania joint work with Dimitrios Vytiniotis, Simon Peyton Jones and Geoffrey Washburn Overview Goal: Add GADTs to
More informationUfo: A Framework for Abstraction- and Interpolation-Based Software Verification
Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,
More informationSymbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationKLEE: Effective Testing of Systems Programs Cristian Cadar
KLEE: Effective Testing of Systems Programs Cristian Cadar Joint work with Daniel Dunbar and Dawson Engler April 16th, 2009 Writing Systems Code Is Hard Code complexity Tricky control flow Complex dependencies
More informationIncremental Runtime Verification of Probabilistic Systems
Incremental Runtime Verification of Probabilistic Systems Vojtěch Forejt 1, Marta Kwiatkowska 1, David Parker 2, Hongyang Qu 1, and Mateusz Ujma 1 1 Department of Computer Science, University of Oxford,
More informationData Abstraction. An Abstraction for Inductive Data Types. Philip W. L. Fong.
Data Abstraction An Abstraction for Inductive Data Types Philip W. L. Fong pwlfong@cs.uregina.ca Department of Computer Science University of Regina Regina, Saskatchewan, Canada Introduction This lecture
More informationPUG (Prover of User GPU Programs) v0.2
PUG (Prover of User GPU Programs) v0.2 Guodong Li School of Computing, University of Utah 1 Installation For details on PUG, see our forthcoming FSE 2010 paper. This manual pertains to our tool for which
More informationMetaprogramming and symbolic execution for detecting runtime errors in Erlang programs
Metaprogramming and symbolic execution for detecting runtime errors in Erlang programs Emanuele De Angelis 1, Fabio Fioravanti 1, Adrián Palacios 2, Alberto Pettorossi 3 and Maurizio Proietti 4 1 University
More information15 150: Principles of Functional Programming. More about Higher-Order Functions
15 150: Principles of Functional Programming More about Higher-Order Functions Michael Erdmann Spring 2018 1 Topics Currying and uncurrying Staging computation Partial evaluation Combinators 2 Currying
More informationSMT-Style Program Analysis with Value-based Refinements
SMT-Style Program Analysis with Value-based Refinements Vijay D Silva Leopold Haller Daniel Kröning NSV-3 July 15, 2010 Outline Imprecision and Refinement in Abstract Interpretation SAT Style Abstract
More informationMore Untyped Lambda Calculus & Simply Typed Lambda Calculus
Concepts in Programming Languages Recitation 6: More Untyped Lambda Calculus & Simply Typed Lambda Calculus Oded Padon & Mooly Sagiv (original slides by Kathleen Fisher, John Mitchell, Shachar Itzhaky,
More informationSymbolic Memory with Pointers
Symbolic Memory with Pointers Marek Trtík 1, and Jan Strejček 2 1 VERIMAG, Grenoble, France Marek.Trtik@imag.fr 2 Faculty of Informatics, Masaryk University, Brno, Czech Republic strejcek@fi.muni.cz Abstract.
More informationProgram Testing via Symbolic Execution
Program Testing via Symbolic Execution Daniel Dunbar Program Testing via Symbolic Execution p. 1/26 Introduction Motivation Manual testing is difficult Program Testing via Symbolic Execution p. 2/26 Introduction
More informationMicrosoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis
Microsoft SAGE and LLVM KLEE Julian Cohen HockeyInJune@isis.poly.edu Manual and Automatic Program Analysis KLEE KLEE [OSDI 2008, Best Paper Award] Based on symbolic execution and constraint solving techniques
More informationCS1622. Semantic Analysis. The Compiler So Far. Lecture 15 Semantic Analysis. How to build symbol tables How to use them to find
CS1622 Lecture 15 Semantic Analysis CS 1622 Lecture 15 1 Semantic Analysis How to build symbol tables How to use them to find multiply-declared and undeclared variables. How to perform type checking CS
More informationRecursive Types and Subtyping
Recursive Types and Subtyping #1 One-Slide Summary Recursive types (e.g., list) make the typed lambda calculus as powerful as the untyped lambda calculus. If is a subtype of then any expression of type
More informationProgramming Languages and Compilers (CS 421)
Programming Languages and Compilers (CS 421) Elsa L Gunter 2112 SC, UIUC http://courses.engr.illinois.edu/cs421 Based in part on slides by Mattox Beckman, as updated by Vikram Adve and Gul Agha 10/3/17
More informationFormally Certified Satisfiability Solving
SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future
More informationMidterm 2 Solutions Many acceptable answers; one was the following: (defparameter g1
Midterm 2 Solutions 1. [20 points] Consider the language that consist of possibly empty lists of the identifier x enclosed by parentheses and separated by commas. The language includes { () (x) (x,x) (x,x,x)
More informationSymbolic Execution. Michael Hicks. for finding bugs. CMSC 631, Fall 2017
Symbolic Execution for finding bugs Michael Hicks CMSC 631, Fall 2017 Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features Rare circumstances Nondeterminism
More informationThe Boogie Intermediate Language
The Boogie Intermediate Language What is BoogiePL? A simplified C-like language that s structured for verification tasks Has constructs that allow specification of assumptions and axioms, as well as assertions
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationBEAMJIT, a Maze of Twisty Little Traces
BEAMJIT, a Maze of Twisty Little Traces A walk-through of the prototype just-in-time (JIT) compiler for Erlang. Frej Drejhammar 130613 Who am I? Senior researcher at the Swedish Institute
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationSEMANTIC ANALYSIS TYPES AND DECLARATIONS
SEMANTIC ANALYSIS CS 403: Type Checking Stefan D. Bruda Winter 2015 Parsing only verifies that the program consists of tokens arranged in a syntactically valid combination now we move to check whether
More informationA New Abstraction Framework for Affine Transformers
A New Abstraction Framework for Affine Transformers Tushar Sharma and Thomas Reps SAS 17 Motivations Prove Program Assertions Function and loop summaries Sound with respect to bitvectors A NEW ABSTRACTION
More information8. Functions (II) Control Structures: Arguments passed by value and by reference int x=5, y=3, z; z = addition ( x, y );
- 50 - Control Structures: 8. Functions (II) Arguments passed by value and by reference. Until now, in all the functions we have seen, the arguments passed to the functions have been passed by value. This
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationSatisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others
DPLL solves Satisfiability fine on some problems but not others DPLL solves Satisfiability fine on some problems but not others Does not do well on proving multipliers correct pigeon hole formulas cardinality
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationAutomated Test Generation using CBMC
Automated Test Generation using CBMC Rui Gonçalo CROSS Project Computer Science Department University of Minho December 2012 Automated Test Generation using CBMC Summary 2/61 Summary 1 Software Testing
More informationLecture 15 CIS 341: COMPILERS
Lecture 15 CIS 341: COMPILERS Announcements HW4: OAT v. 1.0 Parsing & basic code generation Due: March 28 th No lecture on Thursday, March 22 Dr. Z will be away Zdancewic CIS 341: Compilers 2 Adding Integers
More informationEquivalence Checking of C Programs by Locally Performing Symbolic Simulation on Dependence Graphs
Equivalence Checking of C Programs by Locally Performing Symbolic Simulation on Dependence Graphs Takeshi Matsumoto, Hiroshi Saito, and Masahiro Fujita Dept. of Electronics Engineering, University of Tokyo
More informationSoot A Java Bytecode Optimization Framework. Sable Research Group School of Computer Science McGill University
Soot A Java Bytecode Optimization Framework Sable Research Group School of Computer Science McGill University Goal Provide a Java framework for optimizing and annotating bytecode provide a set of API s
More informationGenetic improvement of software: a case study
Genetic improvement of software: a case study Justyna Petke Centre for Research on Evolution, Search and Testing Department of Computer Science, UCL, London Genetic Improvement Programming Automatically
More informationOutline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context
Types 1 / 15 Outline Introduction Concepts and terminology The case for static typing Implementing a static type system Basic typing relations Adding context 2 / 15 Types and type errors Type: a set of
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationApplication: Programming Language Semantics
Chapter 8 Application: Programming Language Semantics Prof. Dr. K. Madlener: Specification and Verification in Higher Order Logic 527 Introduction to Programming Language Semantics Programming Language
More informationHybrid dynamics in Modelica: should all events be considered synchronous. Ramine Nikoukhah INRIA. Modelica/Scicos
Hybrid dynamics in Modelica: should all events be considered synchronous Ramine Nikoukhah INRIA EOOLT 2007 Modelica/Scicos Modelica: language for modeling physical systems. Originally continuous-time modeling
More information