bebop a symbolic model checker for boolean programs
Download
Skip this Video
Download Presentation
Bebop : A Symbolic Model Checker for Boolean Programs

Loading in 2 Seconds...

play fullscreen
1 / 32

Bebop: A Symbolic Model Checker for Boolean Programs - PowerPoint PPT Presentation


  • 200 Views
  • Uploaded on

Bebop : A Symbolic Model Checker for Boolean Programs. Thomas Ball Sriram K. Rajamani. http://research.microsoft.com/slam/. Outline. Boolean Programs and Bebop What? Why? Results Demo Semantics of Boolean Programs Technical details of algorithm Evaluation Related Work.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Bebop: A Symbolic Model Checker for Boolean Programs' - zoltin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bebop a symbolic model checker for boolean programs

Bebop: A Symbolic Model Checker for Boolean Programs

Thomas Ball

Sriram K. Rajamani

http://research.microsoft.com/slam/

outline
Outline
  • Boolean Programs and Bebop
    • What?
    • Why?
    • Results
    • Demo
  • Semantics of Boolean Programs
  • Technical details of algorithm
  • Evaluation
  • Related Work
boolean programs what
Boolean Programs: What
  • Model for representing abstractions of imperative programs in C, C#, Java, etc.
  • Features:
    • Boolean variables
    • Control-flow: sequencing, conditionals, looping, GOTOs
    • Procedures
      • Call-by-value parameter passing
      • recursion
    • Control non-determinism
boolean programs why
Boolean programs: Why

bool x,y;

[1] while (true) {

[2] if(x == y) {

[3] y = !x;

}

else{

[4] x = !x;

[5] y = !y;

}

[6] if (?) break;

}

[7] if(x == y)

[8] assert (false);

Representation of program abstractions, a la Cousots

Each boolean variable represents a predicate:

  • (i < j)
  • (*p==i) && ( (int) p == j)
  • (p  T), where T is recursive data type
  • [Graf-Saidi]
bebop results
Bebop - Results
  • Reachability in boolean programs reduced to context-free language reachability
  • Symbolic interprocedural dataflow analysis
    • Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm
  • Complexity of algorithm is O(E  2n)
    • E = size of interprocedural control flow graph
    • n = max. number of variables in the scope of any label
bebop results6
Bebop - Results
  • Admits control flow + variables
    • Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.]
  • Analyzes procedures separately
    • exploits procedural abstraction + locality of variable scopes
  • Uses hybrid representation
    • Explicit representation of control flow graph, as in a compiler
    • Implicit representation of reachable states via BDDs
  • Generates hierarchical trace
outline8
Outline
  • Boolean Programs and Bebop
  • Semantics of Boolean Programs
    • “stackless” semantics using context-free grammar
  • Technical details of algorithm
  • Evaluation
  • Related Work
stackless semantics
Stackless Semantics
  • State  = <p,>
    • p = program counter
    •  = valuation to variables in scope at p
    • No stack!
  • (B): finite alphabet over boolean program B
    • <call,p,>
      • Call (with return to p),  a valuation to Locals(p)
    • <ret,p,>
      • Return to p,  a valuation to Locals(p)
state transition p p

’(x) = (x), x in Locals(c)

  • ’(g) = (g), g a global

<c:Pr(), >

<d: Proc Pr(),’>

<e, ’>

<r, >

 = <call,e,>

 = <ret,e,>

State transition <p,> --> <p’,’>

(x) = (x), x in Locals(c)

’(g) = (g), g a global

trace semantics
Trace Semantics
  • Context-free grammar L(B) constrains allowable traces
    • M -> <call,q,> M <ret,q,>
    • M -> M M
    • M -> 
  • 0 -1-> 1 -2-> … m-1 -m-> m is a trajectory of B iff
    • i -i+1-> i+1 is a state transition, for all i
    • 1 2 … m  L(B)
outline12
Outline
  • Boolean Programs and Bebop
  • Semantics of Boolean Programs
  • Technical details of reachability algorithm
    • Binary Decision Diagrams (BDDs)
    • Path edges
    • Summary edges
    • Example
  • Preliminary Evaluation
  • SLAM Project
binary decision diagrams

x

y

y

z

z

z

z

1

1

0

0

0

0

1

1

Binary Decision Diagrams
  • Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)
  • F(x,y,z) = (x=y)
hash consing variable elimination

x

y

y

x

z

y

y

x

0

0

y

y

1

z

z

z

z

z

1

1

1

0

0

0

0

1

1

Hash Consing + Variable Elimination
path edges
Path Edges
  • <e,p>  PE(p), iff
    • Exists initialized trajectory ending in <e,e>, where e = entry(Proc(p))
    • Exists trajectory from <e,e> to <p,p>
  • PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p)
    • Can be represented with a BDD!
representing path edges with bdds
Representing Path Edges with BDDs
  • Example PE(p) for boolean variables x,y and z:
    • PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)
  • BDDs also used to represent transfer functions for statements
    • Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)
slide17

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

1

g\'=0^h\'=1

|g\'=1^h\'=0

g=g’=0^a1=a1’=0^a2=a2’=1

| g=g’=1^a1=a1’=1^a2=a2’=0

g=g’=0^a1=a1’=0^a2=a2’=1

g=0^g’=1^a1=a1’=0^a2=a2’=1

Join(S,T) = { <1,2> | <1,J>S,

<J,2>T }

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

summary edges 1 2 lift d r pr
Summary Edges<1,2> = Lift(<d,r>,Pr)
  • 1(x) = 2(x), x in Locals(c)
    • Locals don’t change
  • 1(g) = d(g) and r(g) = 2(g), g global
    • Propagation of global state

<1,2>

c: Pr()

d: Proc Pr()

e

r

<d,r>

slide19

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g=0^g’=1^h=h’=1

g=0^g’=1^h=h’=1

g=0^g’=1^a1=a1’=1^a2=a2’=0

g=0^g’=1^a1=a1’=0^a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

slide20

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g\'=0^h\'=1

|g\'=1^h\'=0

1

g=0^g’=1^h=h’=1

g’=h’=1

g=g’=a1=a1’=a2=a2’=1

g=g’=a1=a1’=a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

worklist algorithm
Worklist Algorithm
  • while PE(v) has changed, for some v
    • Determine if any new path edges can be generated
      • New path edge comes from
        • Existing path edge + transfer function
        • Existing path edge + summary edge (transfer function for procedure calls)
      • New summary edges generated from path edges that reach exit vertex
generating error traces
Generating Error Traces
  • Partition reachable states into “rings”
    • A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R
  • Hierarchical generation of error trace
    • Skip over or descend into called procedures
outline23
Outline
  • Boolean Programs and Bebop
  • Semantics of Boolean Programs
  • Technical details of algorithm
  • Preliminary Evaluation
    • Linear behavior if # vars in scope remains constant
    • Self application of Bebop
  • Related Work
slide24

void level<i>()

begin

decl a,b,c;

if (g) then

while(!a|!b|!c) do

if (!a) then

a := 1;

elsif (!b) then

a,b := 0,1;

elsif (!c) then

a,b,c := 0,0,1;

else

skip;

fi

od

else

<stmt>;

<stmt>;

fi

g := !g;

end

decl g;

voidmain()

begin

level1();

level1();

if(!g) then

reach: skip;

else

skip;

fi

end

application analysis validation
Application: Analysis Validation
  • Live variable analysis (LVA)
    • A variable x is live at s if there is a path from s to a use of x (with no intervening def of x)
    • Used to optimize bebop
      • Quantify out variables as soon as they become dead
  • How to check correctness of LVA?
    • Analysis validation
    • Create a boolean program to check results of LVA
    • Model check boolean program (w/out LVA)
analysis validation
Analysis Validation
  • Output of LVA: { (s,x) | x is dead at s }
  • Boolean program
    • Two variables per original program var x:
      • x_dead (initially 0)
      • x_defined (initially 0)
    • For each fact (s,x):
      • x_dead, x_defined := 1, 0;
    • For each def of x:
      • x_defined := 1;
    • For each use of x
      • if (x_dead && !x_defined) LVAError();
  • Query: is LVAError reachable?
results
Results
  • Found subtle error in implementation of LVA
  • Was able to show colleague that there was another error, in his code
  • Analysis validation now part of regression test suite
related work
Related Work
  • Pushdown Automata (PDA) decidability results
    • [Hopcroft-Ullman]
  • Model checking PDAs
    • [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon]
  • Model checking Hierarchical State Machines
    • [Alur, Grosu]
  • Interprocedural dataflow analysis
    • [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]
related work30
Related Work
  • Reps-Horwitz-Sagiv (RHS) algorithm
    • Handles IFDS problems
      • Interprocedural
      • Finite domain D
      • Distributive dataflow functions (MOP=MFP)
      • Subsets of D
    • Dataflow as CFL reachability over “exploded graph”
  • Our results
    • RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity
    • Reformulated algorithm is easily lifted to powersets of D using BDDs
      • Arbitrary dataflow functions
      • Path-sensitive
summary
Summary
  • Bebop: a model checker for boolean programs
    • Based on interprocedural dataflow analysis using BDDs
    • Exploits procedural abstraction
    • Admits many traditional compiler optimizations
    • Hierarchical trace generation + DHTML user interface
    • Release at end of year
  • SLAM project
    • Iteratively refine boolean program models of C programs
    • Use path simulation to discover relevant predicates (simcl)
    • Automated predicate abstraction (c2bp)
software productivity tools microsoft research http research microsoft com slam
Software Productivity Tools

Microsoft Research

http://research.microsoft.com/slam/

ad