Bebop : A Symbolic Model Checker for Boolean Programs

1 / 32

# Bebop: A Symbolic Model Checker for Boolean Programs - PowerPoint PPT Presentation

Bebop : A Symbolic Model Checker for Boolean Programs. Thomas Ball Sriram K. Rajamani. http://research.microsoft.com/slam/. Outline. Boolean Programs and Bebop What? Why? Results Demo Semantics of Boolean Programs Technical details of algorithm Evaluation Related Work.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Bebop: A Symbolic Model Checker for Boolean Programs' - zoltin

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Bebop: A Symbolic Model Checker for Boolean Programs

Thomas Ball

Sriram K. Rajamani

http://research.microsoft.com/slam/

Outline
• Boolean Programs and Bebop
• What?
• Why?
• Results
• Demo
• Semantics of Boolean Programs
• Technical details of algorithm
• Evaluation
• Related Work
Boolean Programs: What
• Model for representing abstractions of imperative programs in C, C#, Java, etc.
• Features:
• Boolean variables
• Control-flow: sequencing, conditionals, looping, GOTOs
• Procedures
• Call-by-value parameter passing
• recursion
• Control non-determinism
Boolean programs: Why

bool x,y;

[1] while (true) {

[2] if(x == y) {

[3] y = !x;

}

else{

[4] x = !x;

[5] y = !y;

}

[6] if (?) break;

}

[7] if(x == y)

[8] assert (false);

Representation of program abstractions, a la Cousots

Each boolean variable represents a predicate:

• (i < j)
• (*p==i) && ( (int) p == j)
• (p  T), where T is recursive data type
• [Graf-Saidi]
Bebop - Results
• Reachability in boolean programs reduced to context-free language reachability
• Symbolic interprocedural dataflow analysis
• Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm
• Complexity of algorithm is O(E  2n)
• E = size of interprocedural control flow graph
• n = max. number of variables in the scope of any label
Bebop - Results
• Admits control flow + variables
• Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.]
• Analyzes procedures separately
• exploits procedural abstraction + locality of variable scopes
• Uses hybrid representation
• Explicit representation of control flow graph, as in a compiler
• Implicit representation of reachable states via BDDs
• Generates hierarchical trace
Outline
• Boolean Programs and Bebop
• Semantics of Boolean Programs
• “stackless” semantics using context-free grammar
• Technical details of algorithm
• Evaluation
• Related Work
Stackless Semantics
• State  = <p,>
• p = program counter
•  = valuation to variables in scope at p
• No stack!
• (B): finite alphabet over boolean program B
• <call,p,>
• <ret,p,>

’(x) = (x), x in Locals(c)

• ’(g) = (g), g a global

<c:Pr(), >

<d: Proc Pr(),’>

<e, ’>

<r, >

 = <call,e,>

 = <ret,e,>

State transition <p,> --> <p’,’>

(x) = (x), x in Locals(c)

’(g) = (g), g a global

Trace Semantics
• Context-free grammar L(B) constrains allowable traces
• M -> <call,q,> M <ret,q,>
• M -> M M
• M -> 
• 0 -1-> 1 -2-> … m-1 -m-> m is a trajectory of B iff
• i -i+1-> i+1 is a state transition, for all i
• 1 2 … m  L(B)
Outline
• Boolean Programs and Bebop
• Semantics of Boolean Programs
• Technical details of reachability algorithm
• Binary Decision Diagrams (BDDs)
• Path edges
• Summary edges
• Example
• Preliminary Evaluation
• SLAM Project

x

y

y

z

z

z

z

1

1

0

0

0

0

1

1

Binary Decision Diagrams
• Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)
• F(x,y,z) = (x=y)

x

y

y

x

z

y

y

x

0

0

y

y

1

z

z

z

z

z

1

1

1

0

0

0

0

1

1

Hash Consing + Variable Elimination
Path Edges
• <e,p>  PE(p), iff
• Exists initialized trajectory ending in <e,e>, where e = entry(Proc(p))
• Exists trajectory from <e,e> to <p,p>
• PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p)
• Can be represented with a BDD!
Representing Path Edges with BDDs
• Example PE(p) for boolean variables x,y and z:
• PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)
• BDDs also used to represent transfer functions for statements
• Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

1

g\'=0^h\'=1

|g\'=1^h\'=0

g=g’=0^a1=a1’=0^a2=a2’=1

| g=g’=1^a1=a1’=1^a2=a2’=0

g=g’=0^a1=a1’=0^a2=a2’=1

g=0^g’=1^a1=a1’=0^a2=a2’=1

Join(S,T) = { <1,2> | <1,J>S,

<J,2>T }

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

Summary Edges<1,2> = Lift(<d,r>,Pr)
• 1(x) = 2(x), x in Locals(c)
• Locals don’t change
• 1(g) = d(g) and r(g) = 2(g), g global
• Propagation of global state

<1,2>

c: Pr()

d: Proc Pr()

e

r

<d,r>

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g=0^g’=1^h=h’=1

g=0^g’=1^h=h’=1

g=0^g’=1^a1=a1’=1^a2=a2’=0

g=0^g’=1^a1=a1’=0^a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g\'=0^h\'=1

|g\'=1^h\'=0

1

g=0^g’=1^h=h’=1

g’=h’=1

g=g’=a1=a1’=a2=a2’=1

g=g’=a1=a1’=a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

Worklist Algorithm
• while PE(v) has changed, for some v
• Determine if any new path edges can be generated
• New path edge comes from
• Existing path edge + transfer function
• Existing path edge + summary edge (transfer function for procedure calls)
• New summary edges generated from path edges that reach exit vertex
Generating Error Traces
• Partition reachable states into “rings”
• A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R
• Hierarchical generation of error trace
• Skip over or descend into called procedures
Outline
• Boolean Programs and Bebop
• Semantics of Boolean Programs
• Technical details of algorithm
• Preliminary Evaluation
• Linear behavior if # vars in scope remains constant
• Self application of Bebop
• Related Work

void level<i>()

begin

decl a,b,c;

if (g) then

while(!a|!b|!c) do

if (!a) then

a := 1;

elsif (!b) then

a,b := 0,1;

elsif (!c) then

a,b,c := 0,0,1;

else

skip;

fi

od

else

<stmt>;

<stmt>;

fi

g := !g;

end

decl g;

voidmain()

begin

level1();

level1();

if(!g) then

reach: skip;

else

skip;

fi

end

Application: Analysis Validation
• Live variable analysis (LVA)
• A variable x is live at s if there is a path from s to a use of x (with no intervening def of x)
• Used to optimize bebop
• Quantify out variables as soon as they become dead
• How to check correctness of LVA?
• Analysis validation
• Create a boolean program to check results of LVA
• Model check boolean program (w/out LVA)
Analysis Validation
• Output of LVA: { (s,x) | x is dead at s }
• Boolean program
• Two variables per original program var x:
• x_defined (initially 0)
• For each fact (s,x):
• x_dead, x_defined := 1, 0;
• For each def of x:
• x_defined := 1;
• For each use of x
• if (x_dead && !x_defined) LVAError();
• Query: is LVAError reachable?
Results
• Found subtle error in implementation of LVA
• Was able to show colleague that there was another error, in his code
• Analysis validation now part of regression test suite
Related Work
• Pushdown Automata (PDA) decidability results
• [Hopcroft-Ullman]
• Model checking PDAs
• [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon]
• Model checking Hierarchical State Machines
• [Alur, Grosu]
• Interprocedural dataflow analysis
• [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]
Related Work
• Reps-Horwitz-Sagiv (RHS) algorithm
• Handles IFDS problems
• Interprocedural
• Finite domain D
• Distributive dataflow functions (MOP=MFP)
• Subsets of D
• Dataflow as CFL reachability over “exploded graph”
• Our results
• RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity
• Reformulated algorithm is easily lifted to powersets of D using BDDs
• Arbitrary dataflow functions
• Path-sensitive
Summary
• Bebop: a model checker for boolean programs
• Based on interprocedural dataflow analysis using BDDs
• Exploits procedural abstraction