# Bebop : A Symbolic Model Checker for Boolean Programs - PowerPoint PPT Presentation

1 / 32

Bebop : A Symbolic Model Checker for Boolean Programs. Thomas Ball Sriram K. Rajamani. http://research.microsoft.com/slam/. Outline. Boolean Programs and Bebop What? Why? Results Demo Semantics of Boolean Programs Technical details of algorithm Evaluation Related Work.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Bebop : A Symbolic Model Checker for Boolean Programs

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

## Bebop: A Symbolic Model Checker for Boolean Programs

Thomas Ball

Sriram K. Rajamani

http://research.microsoft.com/slam/

### Outline

• Boolean Programs and Bebop

• What?

• Why?

• Results

• Demo

• Semantics of Boolean Programs

• Technical details of algorithm

• Evaluation

• Related Work

### Boolean Programs: What

• Model for representing abstractions of imperative programs in C, C#, Java, etc.

• Features:

• Boolean variables

• Control-flow: sequencing, conditionals, looping, GOTOs

• Procedures

• Call-by-value parameter passing

• recursion

• Control non-determinism

### Boolean programs: Why

bool x,y;

[1] while (true) {

[2] if(x == y) {

[3]y = !x;

}

else{

[4]x = !x;

[5]y = !y;

}

[6]if (?) break;

}

[7] if(x == y)

[8]assert (false);

Representation of program abstractions, a la Cousots

Each boolean variable represents a predicate:

• (i < j)

• (*p==i) && ( (int) p == j)

• (p  T), where T is recursive data type

• [Graf-Saidi]

### Bebop - Results

• Reachability in boolean programs reduced to context-free language reachability

• Symbolic interprocedural dataflow analysis

• Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm

• Complexity of algorithm is O(E  2n)

• E = size of interprocedural control flow graph

• n = max. number of variables in the scope of any label

### Bebop - Results

• Admits control flow + variables

• Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.]

• Analyzes procedures separately

• exploits procedural abstraction + locality of variable scopes

• Uses hybrid representation

• Explicit representation of control flow graph, as in a compiler

• Implicit representation of reachable states via BDDs

• Generates hierarchical trace

### Outline

• Boolean Programs and Bebop

• Semantics of Boolean Programs

• “stackless” semantics using context-free grammar

• Technical details of algorithm

• Evaluation

• Related Work

### Stackless Semantics

• State  = <p,>

• p = program counter

•  = valuation to variables in scope at p

• No stack!

• (B): finite alphabet over boolean program B

• <call,p,>

• <ret,p,>

• ’(x) = (x), x in Locals(c)

• ’(g) = (g), g a global

<c:Pr(), >

<d: Proc Pr(),’>

<e, ’>

<r, >

 = <call,e,>

 = <ret,e,>

### State transition <p,> --> <p’,’>

(x) = (x), x in Locals(c)

’(g) = (g), g a global

### Trace Semantics

• Context-free grammar L(B) constrains allowable traces

• M -> <call,q,> M <ret,q,>

• M -> M M

• M -> 

• 0 -1-> 1 -2-> … m-1 -m-> m is a trajectory of B iff

• i -i+1-> i+1 is a state transition, for all i

• 1 2 … m  L(B)

### Outline

• Boolean Programs and Bebop

• Semantics of Boolean Programs

• Technical details of reachability algorithm

• Binary Decision Diagrams (BDDs)

• Path edges

• Summary edges

• Example

• Preliminary Evaluation

• SLAM Project

x

y

y

z

z

z

z

1

1

0

0

0

0

1

1

### Binary Decision Diagrams

• Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)

• F(x,y,z) = (x=y)

x

y

y

x

z

y

y

x

0

0

y

y

1

z

z

z

z

z

1

1

1

0

0

0

0

1

1

### Path Edges

• <e,p>  PE(p), iff

• Exists initialized trajectory ending in <e,e>, where e = entry(Proc(p))

• Exists trajectory from <e,e> to <p,p>

• PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p)

• Can be represented with a BDD!

### Representing Path Edges with BDDs

• Example PE(p) for boolean variables x,y and z:

• PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

• BDDs also used to represent transfer functions for statements

• Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

1

g'=0^h'=1

|g'=1^h'=0

g=g’=0^a1=a1’=0^a2=a2’=1

| g=g’=1^a1=a1’=1^a2=a2’=0

g=g’=0^a1=a1’=0^a2=a2’=1

g=0^g’=1^a1=a1’=0^a2=a2’=1

Join(S,T) = { <1,2> | <1,J>S,

<J,2>T }

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

### Summary Edges<1,2> = Lift(<d,r>,Pr)

• 1(x) = 2(x), x in Locals(c)

• Locals don’t change

• 1(g) = d(g) and r(g) = 2(g), g global

• Propagation of global state

<1,2>

c: Pr()

d: Proc Pr()

e

r

<d,r>

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g=0^g’=1^h=h’=1

g=0^g’=1^h=h’=1

g=0^g’=1^a1=a1’=1^a2=a2’=0

g=0^g’=1^a1=a1’=0^a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g'=0^h'=1

|g'=1^h'=0

1

g=0^g’=1^h=h’=1

g’=h’=1

g=g’=a1=a1’=a2=a2’=1

g=g’=a1=a1’=a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

### Worklist Algorithm

• while PE(v) has changed, for some v

• Determine if any new path edges can be generated

• New path edge comes from

• Existing path edge + transfer function

• Existing path edge + summary edge (transfer function for procedure calls)

• New summary edges generated from path edges that reach exit vertex

### Generating Error Traces

• Partition reachable states into “rings”

• A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R

• Hierarchical generation of error trace

• Skip over or descend into called procedures

### Outline

• Boolean Programs and Bebop

• Semantics of Boolean Programs

• Technical details of algorithm

• Preliminary Evaluation

• Linear behavior if # vars in scope remains constant

• Self application of Bebop

• Related Work

void level<i>()

begin

decl a,b,c;

if (g) then

while(!a|!b|!c) do

if (!a) then

a := 1;

elsif (!b) then

a,b := 0,1;

elsif (!c) then

a,b,c := 0,0,1;

else

skip;

fi

od

else

<stmt>;

<stmt>;

fi

g := !g;

end

decl g;

voidmain()

begin

level1();

level1();

if(!g) then

reach: skip;

else

skip;

fi

end

### Application: Analysis Validation

• Live variable analysis (LVA)

• A variable x is live at s if there is a path from s to a use of x (with no intervening def of x)

• Used to optimize bebop

• Quantify out variables as soon as they become dead

• How to check correctness of LVA?

• Analysis validation

• Create a boolean program to check results of LVA

• Model check boolean program (w/out LVA)

### Analysis Validation

• Output of LVA: { (s,x) | x is dead at s }

• Boolean program

• Two variables per original program var x:

• x_defined (initially 0)

• For each fact (s,x):

• x_dead, x_defined := 1, 0;

• For each def of x:

• x_defined := 1;

• For each use of x

• if (x_dead && !x_defined) LVAError();

• Query: is LVAError reachable?

### Results

• Found subtle error in implementation of LVA

• Was able to show colleague that there was another error, in his code

• Analysis validation now part of regression test suite

### Related Work

• Pushdown Automata (PDA) decidability results

• [Hopcroft-Ullman]

• Model checking PDAs

• [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon]

• Model checking Hierarchical State Machines

• [Alur, Grosu]

• Interprocedural dataflow analysis

• [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]

### Related Work

• Reps-Horwitz-Sagiv (RHS) algorithm

• Handles IFDS problems

• Interprocedural

• Finite domain D

• Distributive dataflow functions (MOP=MFP)

• Subsets of D

• Dataflow as CFL reachability over “exploded graph”

• Our results

• RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity

• Reformulated algorithm is easily lifted to powersets of D using BDDs

• Arbitrary dataflow functions

• Path-sensitive

### Summary

• Bebop: a model checker for boolean programs

• Based on interprocedural dataflow analysis using BDDs

• Exploits procedural abstraction

• Hierarchical trace generation + DHTML user interface

• Release at end of year

• SLAM project

• Iteratively refine boolean program models of C programs

• Use path simulation to discover relevant predicates (simcl)

• Automated predicate abstraction (c2bp)

Software Productivity Tools

Microsoft Research

http://research.microsoft.com/slam/