- 90 Views
- Uploaded on
- Presentation posted in: General

Path Slicing

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Path Slicing

Presentation by Massimiliano Menarini

Ranjit Jhala and Rupak Majumdar, “Path Slicing” PLDI 05 (June 2005, Chicago, Illinois)

- Use of Path Slices
- Model checking and counter examples

- Control Flow Automata
- Weakest Preconditions
- Properties of Path Slices
- Completeness
- Soundness

- Path Slice Algorithm
- Experimental Results
- Conclusion

- Model checking
- Allow for the exploration of the execution space of an application to find some error
- Return a counter example: an execution path form the start state to an error state

- Motivation for using Path Slicing techniques
- The returned counter example can be very long
- For example the paper presents an experiment where a property checked on gcc returned a 82,695 basic blocks counter example

- Obtain understandable counter examples
- We are interested in only the operations that affect the reachability of the error state (potentially a fraction of the full counter example)

- The returned counter example can be very long

Source

Ex() {

0: if(a>0)

1: x=1;

2: c=0;

3: for(i=1;i<1000;i++)

4: c=c+f(i);

5: if(a>0){

6: if(x==0){

ERR: }}

...

}

CFA

[a>0]

0

[a≤0]

1

x=1

2

c=0

3

[i<1000]

i=1

4

3’

c=c+f(i)

i++

[i≥1000]

5

[a>0]

[a≤0]

6

[x==0]

Err

Exit

- It is a CFG with operations on the edges and program counter on the vertexes
- Formally
- Operations (Ops) of 2 types
- Assignment: l:=e
- assume: assume(p)

- CFA Cf=(PCf, pc0, pcout, Ef, Vf)
- PCf is a set of locations (program counters)
- pc0PCf is the start location
- pcoutPCf is the exit location
- Ef set of edges, Ef PCf Ops PCf
- Vf set of variables (?)

- Operations (Ops) of 2 types

- Given a logical formula jover a set of variables X.
- j represents all X-states where the values of X satisfy j

- The weakest precondition (WP) of j with regard to the operation op Ops (WP.j.op) is the set of states that can reach a state in j after executing op

X={a}

Ops={a=0, a=1}

j=[a==1]

Therefore

j identifies {a=1}

WP.j.(a=1)={all}

WP.j.(a=0)={Ø}

CFA

To execute must be

a>0 (j)

Path to pc=6

Trace

[a>0]

x=1

c=0

i=1

[i≥1000]

[a>0]

Variables

a

c

i

x

[a>0]

0

[a≤0]

[a>0]

1

0

x=1

2

1

c=0

x=1

2

3

c=0

[i<1000]

i=1

3

4

3’

i=1

c=c+f(i)

i++

[i≥1000]

3’

[i≥1000]

5

[a>0]

Cannot execute: this is an unfeasible path

[a≤0]

5

6

[a>0]

[x==0]

6

Err

Exit

- A pathp from pc to pc’ is a sequence of edges of the CFA such that: the destination of one and the source of the next coincide, the source of the first edge is pc and the destination of the last is pc’
- A trace is the sequence of operations on the edges of a path
- A path is feasible if there is some state that can execute it
- A state s can reach a location pc if there exist a path from pc0 to pc that can be executed by s
- A Path Slicep’ is a subsequence of a path p

- p’ is a complete slice of p (path from pc0 to an error location pce) if for every sWP.true.Tr.p’ either:
- there exist a program path p’’ from pc0 to pce such that s can execute p’’, or
- S cannot reach pcout

- Therefore if there is a complete slice to an error location and it is feasible (therefore executable for some state), we are guaranteed that for each state that can execute the slice there exist an executable path that reach the error location

- A path slice p’ of p is a sound slice if WP.true.(Tr.p) WP.true.(Tr.p’)
- So a state that can execute the trace of a path can execute the trace if a sound slice of it

Complete and Sound Slice

CFA

Slice

Slice

[a>0]

[a>0]

[a>0]

0

0

0

[a≤0]

1

1

1

x=0

Not Sound slice

The path could execute in s={a>0} the slice only in s’={a>0, x=0}

x=0

x=0

2

2

2

c=0

c=0

c=0

3

3

3

[i<1000]

i=1

[i<1000]

i=1

[i<1000]

i=1

4

3’

4

3’

4

3’

c=c+f(i)

i++

c=c+f(i)

i++

c=c+f(i)

i++

[i≥1000]

[i≥1000]

[i≥1000]

5

5

5

[a>0]

[a>0]

[a>0]

[a≤0]

6

6

6

[x==0]

[x==0]

[x==0]

Err

Exit

Err

Err

- Backward traversal of the CFA
- Keep 2 information
- lvalues set L (the set of lives values)
- Step location pcs

- An edge is added to the slice if
- It assign one of the lvalues
- If there is a branch that can bypass the current step
- If there is a path from the current edge to the step edge that assign one of the lvalues

- Tested correctens of files handling in real programs (fcron, wuftpd, make, privoxy, ijpeg, openssh, gcc)
- In average the length of the Slice was 5% of the length of the original trace
- In case of longer traces the slices where much shorter (0.1%)
- Examples
- Shortest trace 47 operations: output 27 operations (57%)
- Longest trace 82,695 operations: output 43 operations (less that 0.1%)

- Path Slicing is an interesting technique to reduce the size of a counter example
- An linear algorithm that return a Sound and Complete path slice is provided
- Implemented in the Blast model checker
- Experimental results on real programs proved the benefit of that approach
- Limitations
- The implementation use a depth first search for counter examples that returns very long traces
- Imprecise model of the heap creates problems in the verification of certain programs
- Slow implementation of WrBt and By functions used by the algorithm, don’t scale well