Automata-based Model Counting for String Constraints. Abdulbaki Aydin, Lucas Bang, Tevfik Bultan

Transcription

1 Automata-based Model Counting for String Constraints Abdulbaki Aydin, Lucas Bang, Tevfik Bultan

2 Model Counting for String Constraints Automata-Based model Counter (ABC) 2

3 Can you solve it, Will Hunting? 3

4 Motivation Why care about string constraints? String constraint solvers are essential for program analysis Symbolic execution [Saxena et al., S&P 10] Symbolic verification [Alkhalaf et al., ICSE 12] Why care about model counting? Quantitative information flow analysis Probabilistic symbolic execution 4 [Clark et al., JCS 07] [McCamant et al., PLDI 08] [Phan et al., SEN 12] [Smith et al., FOSSACS 09] [Borges et al., PLDI 14] [Flieri et al., ICSE 13]

5 Outline Automata-based Constraint Solver String constraint language Constraint types Automaton construction Automata-based Model Counting Generating functions Recurrences Experimental Results Conclusion 5

6 String Constraint Language Atomic constraints 6

7 Constraint Types 7

8 Automata Construction 8

9 Automata Construction (Multi-variable) 9

10 Outline Automata-based Constraint Solver Automata-based Model Counting String constraint language Constraint types Automaton construction Generating functions Recurrences Experimental Results Conclusion 10

11 Automata-based Model Counting 11

12 Path Counting 12

13 Counting Paths w Generating Functions 13

14 Counting Paths w Generating Functions 14

15 Recurrence Relation 15

16 Good job Will Hunting! 16

17 Path Counting Methods Matrix Exponentiation Construction Time Evaluation Time 17 Dynamic Programming

18 Outline Automata-based Constraint Solver String constraint Language Constraint types Automaton construction Automata-based Model Counting Generating functions Recurrences Experimental Results Conclusion 18

19 Experimental Evaluation We implemented the techniques described as a tool called Automata-Based model Counter (ABC) We conducted experiments on 4 benchmark sets A java benchmark with wide range of string operations Kaluza Small & Kaluza Big benchmarks for satisfiability check SMC examples for direct comparison between SMC and ABC Frequency of Operations Per 1000 Formulas ASE Kaluza Small Kaluza Big

20 Satisfiability Check Comparison Compared with CVC4 Used SMT-lib format of Kaluza benchmarks from CVC4 sat/small ABC-CVC4 ABC-CVC4 ABC-CVC4 ABC-CVC4 ABC-CVC4 sat-sat unsat-unsat sat-unsat unsat-sat sat-timeout sat/big unsat/small unsat/big Constraint solver performance for Kaluza benchmarks ABC Avg. Time (seconds) CVC4 Avg. Time (seconds) big small

21 Model Counting Comparison Compared with SMC Max string length k SMC lower bound (log) SMC upper bound (log) ABC count (log) nullhttpd ghttpd csplit grep wc obscure Model counter performance for satisfiable constraints in the Kaluza benchmarks ABC Avg. Time (seconds) SMC Avg. Time (seconds) big small

22 ASE Benchmark Extracted from 7 real-world server-side Java applications Constraints were generated by extracting program path constraints through dynamic symbolic execution SMC and CVC4 are not able to handle ASE benchmark; they do not support sanitization operations such as replace # of satisfiable path constraints Avg. # of BDD Nodes (each 16 bytes) Avg. Running Time (seconds) We use MONA automata package where the transition relation is stored as a decision diagram

23 Conclusion Presented a model-counting string solver Generates an automaton that accepts all solutions to a given constraint Generates a model-counting function that, given a length bound, returns the number of solutions within that bound Future work 23 Extending ABC with new operations (e.g., lastindexof) Extending ABC with Presburger arithmetic Better approximation of relational constraints with multi-track automata

24 Thanks 24

25 Recurrence Relation 25

26 Path Counting w Generating Functions 26