Symbolic Computation via Program Transformation

Size: px

Start display at page:

Download "Symbolic Computation via Program Transformation"

Ursula Osborne
5 years ago
Views:

1 Symbolic Computation via Program Transformation Henrich Lauko, Petr Ročkai and Jiří Barnat Masaryk University Brno, Czech Republic

2 Symbolic Computation Motivation verify programs with inputs from the environment bolic execution, concolic testing, test generation etc. 1 / 16

3 Symbolic Computation Interpretation-based static dynamic llvm linked bc. program bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16

4 Symbolic Computation Interpretation-based static dynamic llvm program linked bc. 1 a input() 2 if (a > 0) 3 b a else 5 b a - 1 bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16

5 Symbolic Computation Interpretation-based static dynamic llvm program linked bc. 1 a input() [true] 2 if (a > 0) 3 b a else 5 b a - 1 bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16

6 Symbolic Computation Interpretation-based static dynamic llvm program linked bc. 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a else 5 b a - 1 bitcode C program extract yes/no VM transitions sat? MC smt solver 2 / 16

7 Symbolic Computation llvm Interpretation-based static linked bc. bitcode C program extract yes/no dynamic program VM transitions sat? MC smt solver 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a + 1 [a > 0 b = a + 1] 4 else 5 b a / 16

8 Symbolic Computation llvm Interpretation-based static linked bc. bitcode C program extract yes/no dynamic program VM transitions sat? MC smt solver 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a + 1 [a > 0 b = a + 1] 4 else 5 b a - 1 [a 0 b = a 1] 2 / 16

9 Symbolic Computation llvm Interpretation-based static linked bc. bitcode C program extract yes/no dynamic program VM transitions sat? MC smt solver 1 a input() [true] 2 if (a > 0) [a > 0] 3 b a + 1 [a > 0 b = a + 1] 4 else 5 b a - 1 [a 0 b = a 1] multiple possible paths maintained in interpreter program does not know about bolic values 2 / 16

10 Proposed Symbolic Computation llvm Interpretation-based static linked bc. dynamic program llvm Compilation-based static linked bc. dynamic program bitcode C program extract yes/no VM transitions sat? MC smt solver instrumented bitcode instrum. bitcode C program extract yes/no VM transitions sat? MC smt solver 3 / 16

11 Proposed Symbolic Computation llvm Interpretation-based static linked bc. dynamic program llvm Compilation-based static linked bc. dynamic program bitcode C program extract yes/no VM transitions sat? MC smt solver instrumented bitcode instrum. bitcode C program extract yes/no VM transitions sat? MC smt solver Motivation: minimize complexity of the verification tool 3 / 16

12 Proposed Symbolic Computation 1 a input() 2 if (a > 0) 3 b a else 5 b a a _input() 2 if (_gt(a, 0)) 3 b _add(a, 1) 4 else 5 b _sub(a, 1) llvm Compilation-based static linked bc. instrumented bitcode bitcode instrum. C program Motivation: minimize complexity of the verification tool extract yes/no dynamic program VM transitions sat? MC smt solver 3 / 16

13 Goals 1 mixing of explicit and bolic computation 4 / 16

14 Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 4 / 16

15 Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 3 impose minimal run-time overhead 4 / 16

16 Transformation 5 / 16

17 Transformation of Program 1 syntactically abstract the input program x:int input() y:int factorial(7) z:int x + y b:bool z < 0 x: a_int lift(*) y: int factorial(7) z: a_int a_add(x, lift(y)) b: a_bool a_lt(z, lift(0)) 6 / 16

18 Transformation of Program 1 syntactically abstract the input program x:int input() y:int factorial(7) z:int x + y b:bool z < 0 transform instructions, types, functions preserve concrete computation lift concrete values x: a_int lift(*) y: int factorial(7) z: a_int a_add(x, lift(y)) b: a_bool a_lt(z, lift(0)) 6 / 16

19 Transformation of Program 1 syntactically abstract the input program x:int input() y:int factorial(7) z:int x + y b:bool z < 0 transform instructions, types, functions preserve concrete computation lift concrete values 2 concretely realize abstraction x: _int lift(*) y: int factorial(7) z: _int _add(x, lift(y)) b: _bool _lt(z, lift(0)) x: a_int lift(*) y: int factorial(7) z: a_int a_add(x, lift(y)) b: a_bool a_lt(z, lift(0)) replace abstract calls with provided implementation 6 / 16

20 Control Flow of Symbolic Program Problem: constrained values by control flow x: int input() cond: bool x < 0 if (cond) y: int x + 1 else... both paths can happen x is not constrained 7 / 16

21 Control Flow of Symbolic Program Problem: constrained values by control flow x: int input() cond: bool x < 0 if (cond) y: int x + 1 else... both paths can happen x is not constrained Solution: instrument constraint propagation x: _int lift(*) cond: _bool _lt(x, 0) if (*) // nondeterministic x': _int assume(cond) y : _int _add(x', 1) else x': _int assume(!cond)... assumes extend a path condition 7 / 16

22 Types in the Symbolic Program Problem: how to deal with aggregate types? arr: int[] [1, 2, 3] arr[1]: int input() we want to minimize the number of bolic values 8 / 16

23 Types in the Symbolic Program Problem: how to deal with aggregate types? arr: int[] [1, 2, 3] arr[1]: int input() we want to minimize the number of bolic values Solution: use discriminated union type realize abstract value as union of concrete and bolic value arr: union[] [1, 2, 3] // either int or _int arr[1]: union lift(*) similarly deal with recursive structures 8 / 16

24 Function Calls Problem: how to transform functions with bolic arguments? int foo(a: int, b: int, c: int) 9 / 16

25 Function Calls Problem: how to transform functions with bolic arguments? int foo(a: int, b: int, c: int) may produce exponentially many duplicates: int foo(a: _int, b: int, c: int) int foo(a: int, b: _int, c: int) int foo(a: int, b: int, c: _int) int foo(a: _int, b: _int, c: int)... resolve return type 9 / 16

26 Function Calls Problem: how to transform functions with bolic arguments? int foo(a: int, b: int, c: int) may produce exponentially many duplicates: int foo(a: _int, b: int, c: int) int foo(a: int, b: _int, c: int) int foo(a: int, b: int, c: _int) int foo(a: _int, b: _int, c: int)... resolve return type Solution: static analysis + use discriminated union union foo(a: union, b: union, c: int) 9 / 16

27 Symbolic Runtime 10 / 16

28 Data Representation Symbolic execution: a: pointer malloc() w: _int lift(*) x: _int lift(*) y: _int _add(w, x) z: _int _mul(y, 7) store z a z y x? 2 +? 1 7 a w 11 / 16

29 Data Representation Symbolic execution: a: pointer malloc() w: _int lift(*) x: _int lift(*) y: _int _add(w, x) z: _int _mul(y, 7) store z a z y x? 2 +? 1 7 a w Branching example: x : _int lift(*) if (*) // nondeterministic x': _int assume(x < 10) y : _int _add(x', 1) else x': _int assume(x >= 10) y : _int _sub(x', 1) y 1 x y 2 + x < 10 true x 10 1? 1 11 / 16

30 Data Representation II. Cycle example: x : _int lift(*) for i: int x: _int _add(x, 1) x 3 x 2 x 1 + +? / 16

31 Symbolic Verification Algorithm llvm static linked bc. instrumented bitcode bitcode instrum. C program extract yes/no dynamic program VM transitions sat? MC smt solver Required support in a tool: nondeterminism feasibility check equality check values metadata Simpler domains do not even need SMT support (sign domain). 13 / 16

32 Results Integrated with DIVINE model checker: LLVM-to-LLVM transformation STP SMT solver 14 / 16

33 Results Integrated with DIVINE model checker: LLVM-to-LLVM transformation STP SMT solver Component sizes: (lines of code) DIVINE* KLEE SymDIVINE CBMC bolic support shared code reduced complexity of verification tool 14 / 16

34 Results SV-COMP Benchmarks: tag total DIVINE* SymDIVINE CBMC array bitvector loops product-lines pthread recursion systemc total / 16

35 Conclusion Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 3 impose minimal run-time overhead 16 / 16

36 Conclusion Goals 1 mixing of explicit and bolic computation 2 expose a small interface to the rest of the system 3 impose minimal run-time overhead Summary introduced compilation-based bolic verification generalized approach to the abstraction of programs 16 / 16

Context-Switch-Directed Verification in DIVINE

Context-Switch-Directed Verification in DIVINE MEMICS 2014 Vladimír Štill Petr Ročkai Jiří Barnat Faculty of Informatics Masaryk University, Brno October 18, 2014 Vladimír Štill et al. Context-Switch-Directed