Reading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis

Similar documents
Symbolic Evaluation/Execution

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2012!

Introduction to Dynamic Analysis

White-Box Testing Techniques III

Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Characteristics of! System to be! built must! match required! characteristics!

CUTE: A Concolic Unit Testing Engine for C

Basic Verification Strategy

Compositional Symbolic Execution through Program Specialization

Symbolic and Concolic Execution of Programs

Applications of Program analysis in Model-Based Design

Hoare Logic: Proving Programs Correct

Software Testing Prof. Meenakshi D Souza Department of Computer Science and Engineering International Institute of Information Technology, Bangalore

Lectures 20, 21: Axiomatic Semantics

Verification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80

Proving the Correctness of Distributed Algorithms using TLA

Having a BLAST with SLAM

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Reasoning about programs

A Partial Correctness Proof for Programs with Decided Specifications

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Dataflow-based Coverage Criteria

Programming Languages Third Edition

An Eclipse Plug-in for Model Checking

VS 3 : SMT Solvers for Program Verification

Introduction to Axiomatic Semantics

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

Page 1. Reading assignment: Reviews and Inspections. Foundations for SE Analysis. Ideally want general models. Formal models

INTRODUCTION. Objective: - Algorithms - Techniques - Analysis. Algorithms:

Iterative Program Analysis Abstract Interpretation

An Introduction to Systematic Software Testing. Robert France CSU

Test Automation. 20 December 2017

Subject Software Testing Structural Testing

The Rule of Constancy(Derived Frame Rule)

Discrete Mathematics Lecture 4. Harper Langston New York University

Propositional Calculus. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Symbolic Execution, Dynamic Analysis

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Having a BLAST with SLAM

Reading assignment: Reviews and Inspections

Introduction to Linear Programming. Algorithmic and Geometric Foundations of Optimization

Software Verification and Validation. Prof. Lionel Briand Ph.D., IEEE Fellow

Chapter 3 (part 3) Describing Syntax and Semantics

Handout 9: Imperative Programs and State

Program Analysis. Program Analysis

Department of Computer Science COMP The Programming Competency Test

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Nondeterministic Query Algorithms

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Automatic Software Verification

Topics in Software Testing

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Formal Methods. CITS5501 Software Testing and Quality Assurance

Verification and Validation

Part I: Preliminaries 24

A Catalog of While Loop Specification Patterns

Runtime Checking for Program Verification Systems

Compiler Construction 2010/2011 Loop Optimizations

Lecture Notes on Ints

Software Testing CS 408. Lecture 11: Review 2/20/18

Rethinking Automated Theorem Provers?

Finite State Verification. CSCE Lecture 14-02/25/2016

The Prototype Verification System PVS

Structural Testing. (c) 2007 Mauro Pezzè & Michal Young Ch 12, slide 1

Having a BLAST with SLAM

Static Analysis and Bugfinding

Course Summary! What have we learned and what are we expected to know?

Part 5. Verification and Validation

Standard Boolean Forms

Compiler Construction 2016/2017 Loop Optimizations

Reasoning About Imperative Programs. COS 441 Slides 10

Deductive Methods, Bounded Model Checking

Program Verification. Aarti Gupta

Algebraic Properties of CSP Model Operators? Y.C. Law and J.H.M. Lee. The Chinese University of Hong Kong.

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Introduction to Software Testing Chapter 5.1 Syntax-based Testing

UNIT-4 Black Box & White Box Testing

3.7 Denotational Semantics

STRUCTURAL TESTING. AKA White Box Testing. Thanks go to Andreas Zeller for allowing incorporation of his materials. F. Tip and M.

Software Model Checking with Abstraction Refinement

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Program Static Analysis. Overview

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Second assignment came out Monday evening. Find defects in Hnefetafl rules written by your classmates. Topic: Code Inspection and Testing

Java PathFinder JPF 2 Second Generation of Java Model Checker

Symbolic Execution and Proof of Properties

Verification and Validation. Verification and validation

Having a BLAST with SLAM

Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

Programs with infinite loops: from primitive recursive predicates to the arithmetic hierarchy

[Ch 6] Set Theory. 1. Basic Concepts and Definitions. 400 lecture note #4. 1) Basics

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Lecture 11 Lecture 11 Nov 5, 2014

Module 1 Lecture Notes 2. Optimization Problem and Model Formulation

A Propagation Engine for GCC

Distributed Systems Programming (F21DS1) Formal Verification

Basic operators, Arithmetic, Relational, Bitwise, Logical, Assignment, Conditional operators. JAVA Standard Edition

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

CIS 890: Safety Critical Systems

Finite State Verification. CSCE Lecture 21-03/28/2017

Transcription:

Reading Assignment Symbolic Evaluation/Execution *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer Science). R. A. DeMillo, R. J. Lipton and A. J. Perlis, "Social Processes and Proofs of Theorems and Programs," Communications of the ACM, 22 (5), May 1979, pp. 271-280. S. King, J. Hammond, R. Chapman and A. Pryor, "Is Proof More Cost-Effective Than Testing?" IEEE Transactions on Software Engineering, 26 (8), August 2000, pp. 675-686. * not required reading Move from Dynamic Analysis to Static Analysis Dynamic analysis approaches are based on sampling the input space Infer behavior or properties of a system from executing a sample of test cases Functional (Black Box) and Structural (White Box) approaches Move from Dynamic Analysis to Static Analysis Dynamic analysis approaches are based on sampling the input space Infer behavior or properties of a system from executing a sample of test cases Black Box versus White Box approaches Static analysis approaches tend to be based on a global assessment of the behavior Based on an understanding of the program (artifact) Again, usually must approximate the semantics to keep the problem tractable Static Analysis Approaches Dependence Analysis Symbolic Evaluation Formal Verification Data Flow Analysis Concurrency Analysis Reachability analysis Finite-state Verification Static Analysis Approaches Dependence Analysis Symbolic Evaluation Formal Verification Data Flow Analysis Concurrency Analysis Reachability analysis Finite-state Verification

Today s Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. *C. Csallner, N. Tillmann, and Y. Smaragdakis, DySy: Dynamic Symbolic Execution for Invariant Inference. Proceedings of the 30th international Conference on Software Engineering, Leipzig, Germany, May 2008), pp. 281-290. Symbolic Evaluation/Execution Creates a functional representation of a path of an executable component For a path Pi D[Pi] is the domain for path Pi C[Pi] is the computation for path Pi * not required Functional Representation of an Executable Component X i is the domain of path P i Denoted D[ P i ] X j X i X l X k P i P j P k P l Representing Computation Symbolic names represent the input values the path value PV of a variable for a path describes the value of that variable in terms of those symbolic names the computation of the path C[P] is described by the path values of the outputs for the path X = D[P 1 ]... D[P r ] = D[P] D[P i ] D[P j ] = Ø, i j Representing Conditionals an interpreted branch condition or interpreted predicate is represented as an inequality or equality condition the path condition PC describes the domain of the path and is the conjunction of the interpreted branch conditions the domain of the path D[P] is the set of imput values that satisfy the PC for the path Example program procedure Contrived is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; 4 Z := 0; 5 if Y > 0 then 6 Y := Y + 5; 7 if X - Y < 0 then 8 write Z; 9 write Y; end Contrived; Stmt PV PC 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,6 Y y+5 x 3 y>0 7,9 (x 3 y>0 x-(y+5) 0) = (x 3 y>0 (x-y) 5)

Presenting the results procedure Contrived is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; 4 Z := 0; 5 if Y > 0 then 6 Y := Y + 5; 7 if X - Y < 0 then 8 write Z; 9 write Y; endif end Contrived Statements PV PC 1 X x true Y y P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) x 3 y>0 x-y 5} C[P] = PV.Y = y +5 ( PV.Z = x+y) 2,3 Z x+y true x 3 = x 3 5,6 Y y+5 x 3 y>0 7,9 x 3 y>0 x-(y+5) 0 = x 3 y>0 (x-y) 5 Results (feasible path) y x 3 P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) x 3 y>0 x-y 5} C[P] = PV.Y = y +5 y>0 (x-y) 5 x Evaluating another path procedure Contrived is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; 4 Z := 0; 5 if Y > 0 then 6 Y := Y + 5; 7 if X - Y < 0 then 8 write Z; 9 write Y; end Contrived; Stmts PV PC 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,7 x 3 y 0 7,8 x 3 y 0 x-y < 0 procedure EXAMPLE is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; 4 Z := 0; 5 if Y > 0 then 6 Y := Y + 5; 7 if X - Y < 0 then 8 write Z; 9 write Y; endif end EXAMPLE Stmts PV PC P = 1, 2, 3, 5, 7, 8 D[P] = { (x,y) x 3 y 0 x-y<0} infeasible path! 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,7 x 3 y 0 7,8 x 3 y 0 x-y < 0 Results (infeasible path) y x 3 (x-y) < 0 y 0 x Representing Computation Symbolic names represent the input values the path value PV of a variable for a path describes the value of that variable in terms of those symbolic names the computation of the path C[P] is described by the path values of the outputs for the path

Representing Conditionals an interpreted branch condition or interpreted predicate is represented as an inequality or equality condition the path condition PC describes the domain of the path and is the conjunction of the interpreted branch conditions the domain of the path D[P] is the set of imput values that satisfy the PC for the path what about loops? Symbolic evaluation requires a complete path description 4 1 2 3 Example Paths P= 1, 2, 3, 5 P= 1, 2, 3, 4, 2, 3, 5 P= 1, 2, 3, 4, 2, 3, 4, 2, 3, 5 Etc. 5 Symbolic Testing Path Computation provides [concise] functional representation of behavior for entire Path Domain Examination of Path Domain and Computation often useful for detecting program errors Particularly beneficial for (some) scientific applications or applications w/o oracles Simple Symbolic Evaluation Provides symbolic representations given path Pi path condition PC = path domain D[Pi] ={(x1, x1,...,x1) pc true } path values PV.X1= path computation C[Pi] = P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) x 3 y>0 x-y 5} C[P] = PV.Y = y +5 Additional Features: Simplification Path Condition Consistency Fault Detection Path Selection Test Data Generation Simplification Reduces path condition to a canonical form Simplifier often determines consistency PC = ( x >= 5 ) and ( x < 0 ) May want to display path computation in simplified and unsimplified form PV.X = x + (x +1) + (x + 2) + (x + 3) = 4 * x + 6

Path Condition Consistency strategy = solve a system of constraints theorem prover consistency algebraic, e.g., linear programming consistency and find solutions solution is an example of automatically generated test data... but, in general we cannot solve an arbitrary system of constraints! Fault Detection Implicit fault conditions E.g. Subscript value out of bounds E.g. Division by zero e.g., Q:=N/D Create assertion to represent the fault and conjoin with the pc Division by zero assert(divisor 0) Determine consistency PC P and (PV.divisor = 0) if consistent then error possible Must check the assertion at the point in the path where the construct occurs Fault Detection (continued) Checking user-defined assertions Determine if the complement of the assertion is consistent with the PC example Assert (A > B) PC and (PV.A PV.B) if consistent then assertion not valid Comparing Dynamic and Symbolic Asssertion Checking Approaches With run-time assertion checking, assertions are inserted as executable instructions and checked during execution dependent on test data selected (dynamic testing ) With symbolic evaluation, assertions checked when they occur on a path being evaluated dependent on path, but not on the test data look for violating data in the path domain Additional Features: Simplification Path Condition Consistency Fault Detection Path Selection Test Data Generation Path Selection User selected Automated selection to satisfy some criteria e.g., exercise all statements at least once Because of infeasible paths, best if path selection done incrementally

Incremental Path Selection PC and PV maintained for partial path Inconsistent partial path can often be salvaged Incremental Path Selection PC and PV maintained for partial path Inconsistent partial path can often be salvaged T X>0 PC F pc = pc and (x 0) T X>0 PC F pc = pc and (x 0) pc = pc and (x>3) = pc and (x 0) and (x>3) INCONSISTENT! infeasible path T X>3 F X pc = pc and (x>3) = pc and (x 0) and (x>3) INCONSISTENT! infeasible path T X>3 F pc = pc and (x 3) = pc and (x 0) and (x 3) CONSISTENT [if pc is consistent] Path Selection (continued) Can be used in conjunction with other static analysis techniques to determine path feasibility Testing criterion generates a path that needs to be tested Symbolic evaluation determines if the path is feasible Can eliminate some paths from consideration Additional Features: Simplification Path Condition Consistency Fault Detection Path Selection Test Data Generation Test Data Generation Simple test date selection: Select test cases that satisfies the path condition pc Error based test date selection Try to select test cases that will help reveal faults Use information about the path domain and path values to select test data e.g., PV.X = a * (b + 2); a = 1 combined with min and max values of b b = -1 combined with min and max values for a values that would force X to take on special values e.g., a = 0 or b=-2, if X==0 is a special value Enhanced Symbolic Evaluation Capabilities Creates symbolic representations of the Path Domains and Computations Symbolic Testing Determine if paths are feasible Automatic fault detection system defined assertions user assertions Automatic path selection Automatic test data generation

An Enhanced Symbolic Evaluation System component Path Selection User input Problems Information explosion Impracticality of all paths Symbolic Execution Path condition consistency fault conditions Detect inconsistency Detect inconsistency path condition Simplifier Inequality Solver path values simplified path values Aliasing elements of a compound type e.g., arrays and records pointers fault report path domain test data path computation Alias Problem A(2) := 5 read I, A(I) X := A(2) Indeterminate subscript Escalating problem Read I X := A[I] PV.X = unknown Y := X + Z PV.Y = unknown + PV.Z = unknown Y:=A(I) I > 2 Z:=A(I) constraints on subscript value due to path condition Can often determine array element Symbolic Evaluation Approaches Y:=A(I) I:= I+1 I:= 0 I 3. subscript value. is constant. symbolic evaluation With some enhancements Data independent Path dependent dynamic symbolic evaluation Data dependent--> path dependent global symbolic evaluation Data independent Path independent

Dynamic Symbolic Execution X (25.5) Data dependent Provided information Actual value: X := 25.5 Symbolic expression: X := Y * (A + 1.9); Derived expression: = * Y (5.1) + A (3.1) 1.9 Dynamic Analysis combined with Symbolic Execution Actual output values Symbolic representations for each path executed path domain path computation Fault detection data dependent path dependent (if accuracy is available) Dynamic Symbolic Execution Advantages No path condition consistency determination No path selection problem No aliasing problem (e.g., array subscripts) Disadvantages Test data selection (path selection) left to user Fault detection is often data dependent Except for user and system defined assertions Applications Debugging Symbolic representations used to support path and data selection Symbolic Evaluation Approaches simple symbolic evaluation dynamic symbolic evaluation global symbolic evaluation Data and path independent Loop analysis technique classifies paths that differ only by loop iterations Provides global symbolic representation for each class of paths Global Symbolic Evaluation Global Symbolic Evaluation Loop Analysis creates recurrence relations for variables and loop exit condition solution is a closed form expression representing the loop then, loop expression evaluated as a single node 1 2 s 4 5 6 7 3 2 classes of paths: P 1 :(s,(1,2),4,(5,(6,7),8),f) P 2 : (s,3,4,(5,(6,7),8),f) global analysis case D[P 1 ]: C[P 1 ] D[P 2 ]: C[P 2 ] Endcase analyze the loops first consider all partial paths up to a node 8 f

Loop analysis example read A, B Area := 0 Loop Analysis Example Recurrence Relations AREA k = AREA k-1 + A 0 X k = X k-1 + 1 f X := A X B t Loop Exit Condition lec(k)= (X k > B 0 ) X B T write AREA AREA:= AREA+A X:= X+1 AREA:= AREA+A X:= X+1 Loop Analysis Example (continued) solved recurrence relations AREA(k) = AREA 0 + X(k) = X 0 + k solved loop exit condition lec(k) = (X 0 + k > B 0 ) loop expression k e = min {k X 0 + k > B 0 and k 0} AREA : = AREA 0 + X : = X 0 + k e X! 0! + k! - 1! Σ A 0 i = X!0! X! + k 0! e! - 1! Σ i = X! A 0 0! loop expression k e = min {k X 0 + k > B 0 and k 0} X! 0! + k e! - 1! AREA : = AREA 0 + A Σ 0 i = X! 0! X : = X 0 + k e global representation for input (a,b) X 0 = a, A 0 =a, B 0 = b, AREA 0 = 0 a + k e > b ==> k e > b - a read A,B AREA :=0 K e = b - a +1 X :=A X = a +(b-a+1) = b+1 AREA = b! Σ a i = a! write AREA = (b-a+1) a Loop analysis example read A, B Area:= 0 Find path computation and path domain for all classes of paths P1 = (1, 2, 3, 4, 7) D[P1] = a > b C[P1] = (AREA=0) and (X=a) X:= A f X B t read A,B write AREA AREA:= AREA+A AREA :=0 X :=A X:= X+1 X B write AREA

Find path computation and path domain for all classes of paths P2 = (1, 2, 3, 4, (5, 6), 7) D[P2] = (b>a) C[P2] = (AREA = (b-a+1) a ) k e = b - a +1 X : = b + 1 f read A, B Area:= 0 X:= A X B t X 0 = a B 0 = b A 0 = a K e = b - a +1 X = b+1 AREA = (b-a+1) a Example procedure RECTANGLE (A,B: in real; H: in real range -1.0... 1.0; F: in array [0..2] of real; AREA: out real; ERROR: out boolean) is -- RECTANGLE approximates the area under the quadratic equation -- F[0] + F[1]*X + F[2]*X**2 From X=A to X=B in increments of H. X,Y: real; s begin --check for valid input 1 if H > B - A then 2 ERROR := true; 3 ERROR := false; 4 X := A; 5 AREA := F[0] + F[1]*X + F[2]*X*2; 6 while X + H B loop 7 X := X + H; 8 Y := F[0] + F[1]*X + F[2]*X**2; 9 AREA := AREA + Y; end loop; 10 AREA := AREA*H; end RECTANGLE write AREA AREA:= AREA+A X:= X+1 ERROR := true; 2 s H > B - A 1 ERROR := false; 3 Symbolic Representation of Rectangle s P (s,1,2,f) 1 H > B - A D[P 1 ] (a - b + h > 0.0) 1 ERROR := true; AREA =? 2 C[P 1 ] ERROR = true ERROR := false; 3 X := A; 4 AREA := F[0] + F[1]*X + F[2]*X**2 5 P (s,1,3,4,5,6,10,f) 2 D[P (a - b + h <= 0.0) and (a - b + h > 0.0) 2 ] = = false X := A; 4 AREA := F[0] + F[1]*X + F[2]*X**2 5 X + H B 6 *** infeasible path *** X + H B 6 X := X + H; 7 P 3 (s,1,3,4,5,(6,7,8,9),10,11,f) X := X + H; 7 Y := F[0] + F[1]*X + F[2]*X**2; 8 D[P 3 ] (a-b+h <= 0.0) Y := F[0] + F[1]*X + F[2]*X**2; 8 AREA := AREA + Y; 9 C[P AREA = a*f[1]*j+2.0*a*f[2]*h+f[0]*h 3 ] +sum < i :=1... int (-a/h+b/h) AREA := AREA + Y; 9 (a*f[1]*h+a**2*f[2]*h AREA := AREA*H 10 +2.0*a*f[2]*h**2*i+f[0]*h +f[1]*h**2*i+f[2]*h**3*i**2) > AREA := AREA*H 10 f ERROR = false f Global Symbolic Evaluation Partial Evaluation Advantages global representation of routine no path selection problem Disadvantages has all problems of Symbolic Execution PLUS inability to solve recurrence relations (interdependencies, conditionals) Applications has all applications of Symbolic Execution plus Verification Program Optimization Similar to Dynamic Symbolic Evaluation Provide some of the input values E.g., If input is x and y, provide a value for x Create a representation that incorporates those values and that is equivalent to the original representation if it were given the same values as the preset values P(x, y) = P (x, y)

Partial Evaluator static input program Partial evaluator Dynamic input Specialized program output Why is partial evaluation useful? In compilers May create a faster representation E.g., if you know the maximum size for a platform or domain, hardcode that into the system More than just constant propagation Do symbolic manipulations with the computations Example with Ackermann s function A(m,n) = if m = 0 then n+1 if n = 0 then A(m-1, 1) A(m-1,A(m,n-1)) Specialization using partial evaluation A(2) := 5 read I, A(I) A0(n) = n+1 A1(n) = if n = 0 then A0(1) A0(A1(n-1)) A2(n) = if n = 0 then A1(1) A1(A2(n-1)) Y:=A(I) I > 2 Z:=A(2) A(2) := 5 read I, A(I) I>2? I<2 I=2 Y:=A(I) Z:=5 Z:=eval(A(2)) Why is Partial Evaluation Useful in Analysis Often can not reason about dynamic information Instantiates a particular configuration of the system that is easier to reason about E.g., the number of tasks in a concurrent system; the maximum size of a vector Reference on Partial Evaluation Neil Jones, An Introduction to Partial Evaluation, ACM Computing Surveys, September 1996 Look at several configurations and try to generalize results Induction Often done informally

Symbolic Evaluation Approaches symbolic evaluation With some enhancements Data independent Path dependent dynamic symbolic evaluation Data dependent--> path dependent global symbolic evaluation Data independent Path independent Current Status of Symbolic Execution Not generally used for symbolic testing expensive to create representations expensive to reason about expressions imprecision of results But, being incorporated into other techniques Test data generation with assertions Eliminate infeasible counter examples Concolic testing CREST, http://code.google.com/p/crest/, for C CUTE, http://osl.cs.uiuc.edu/~ksen/cute/ for C &JCUTE for Java Current computing power and better user interface capabilities make it worth considering

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback