Loading in 5 sec....

Bebop : A Symbolic Model Checker for Boolean ProgramsPowerPoint Presentation

Bebop : A Symbolic Model Checker for Boolean Programs

- 191 Views
- Uploaded on
- Presentation posted in: General

Bebop : A Symbolic Model Checker for Boolean Programs

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Bebop: A Symbolic Model Checker for Boolean Programs

Thomas Ball

Sriram K. Rajamani

http://research.microsoft.com/slam/

- Boolean Programs and Bebop
- What?
- Why?
- Results
- Demo

- Semantics of Boolean Programs
- Technical details of algorithm
- Evaluation
- Related Work

- Model for representing abstractions of imperative programs in C, C#, Java, etc.
- Features:
- Boolean variables
- Control-flow: sequencing, conditionals, looping, GOTOs
- Procedures
- Call-by-value parameter passing
- recursion

- Control non-determinism

bool x,y;

[1] while (true) {

[2] if(x == y) {

[3]y = !x;

}

else{

[4]x = !x;

[5]y = !y;

}

[6]if (?) break;

}

[7] if(x == y)

[8]assert (false);

Representation of program abstractions, a la Cousots

Each boolean variable represents a predicate:

- (i < j)
- (*p==i) && ( (int) p == j)
- (p T), where T is recursive data type
- [Graf-Saidi]

- Reachability in boolean programs reduced to context-free language reachability
- Symbolic interprocedural dataflow analysis
- Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm

- Complexity of algorithm is O(E 2n)
- E = size of interprocedural control flow graph
- n = max. number of variables in the scope of any label

- Admits control flow + variables
- Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.]

- Analyzes procedures separately
- exploits procedural abstraction + locality of variable scopes

- Uses hybrid representation
- Explicit representation of control flow graph, as in a compiler
- Implicit representation of reachable states via BDDs

- Generates hierarchical trace

- Boolean Programs and Bebop
- Semantics of Boolean Programs
- “stackless” semantics using context-free grammar

- Technical details of algorithm
- Evaluation
- Related Work

- State = <p,>
- p = program counter
- = valuation to variables in scope at p
- No stack!

- (B): finite alphabet over boolean program B
- <call,p,>
- Call (with return to p), a valuation to Locals(p)

- <ret,p,>
- Return to p, a valuation to Locals(p)

- <call,p,>

- ’(x) = (x), x in Locals(c)
- ’(g) = (g), g a global

<c:Pr(), >

<d: Proc Pr(),’>

<e, ’>

<r, >

= <call,e,>

= <ret,e,>

(x) = (x), x in Locals(c)

’(g) = (g), g a global

- Context-free grammar L(B) constrains allowable traces
- M -> <call,q,> M <ret,q,>
- M -> M M
- M ->

- 0 -1-> 1 -2-> … m-1 -m-> m is a trajectory of B iff
- i -i+1-> i+1 is a state transition, for all i
- 1 2 … m L(B)

- Boolean Programs and Bebop
- Semantics of Boolean Programs
- Technical details of reachability algorithm
- Binary Decision Diagrams (BDDs)
- Path edges
- Summary edges
- Example

- Preliminary Evaluation
- SLAM Project

x

y

y

z

z

z

z

1

1

0

0

0

0

1

1

- Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)
- F(x,y,z) = (x=y)

x

y

y

x

z

y

y

x

0

0

y

y

1

z

z

z

z

z

1

1

1

0

0

0

0

1

1

- <e,p> PE(p), iff
- Exists initialized trajectory ending in <e,e>, where e = entry(Proc(p))
- Exists trajectory from <e,e> to <p,p>

- PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p)
- Can be represented with a BDD!

- Example PE(p) for boolean variables x,y and z:
- PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

- BDDs also used to represent transfer functions for statements
- Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

1

g'=0^h'=1

|g'=1^h'=0

g=g’=0^a1=a1’=0^a2=a2’=1

| g=g’=1^a1=a1’=1^a2=a2’=0

g=g’=0^a1=a1’=0^a2=a2’=1

g=0^g’=1^a1=a1’=0^a2=a2’=1

Join(S,T) = { <1,2> | <1,J>S,

<J,2>T }

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

- 1(x) = 2(x), x in Locals(c)
- Locals don’t change

- 1(g) = d(g) and r(g) = 2(g), g global
- Propagation of global state

<1,2>

c: Pr()

d: Proc Pr()

e

r

<d,r>

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g=0^g’=1^h=h’=1

g=0^g’=1^h=h’=1

g=0^g’=1^a1=a1’=1^a2=a2’=0

g=0^g’=1^a1=a1’=0^a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g'=0^h'=1

|g'=1^h'=0

1

g=0^g’=1^h=h’=1

g’=h’=1

g=g’=a1=a1’=a2=a2’=1

g=g’=a1=a1’=a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end

- while PE(v) has changed, for some v
- Determine if any new path edges can be generated
- New path edge comes from
- Existing path edge + transfer function
- Existing path edge + summary edge (transfer function for procedure calls)

- New summary edges generated from path edges that reach exit vertex

- New path edge comes from

- Determine if any new path edges can be generated

- Partition reachable states into “rings”
- A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R

- Hierarchical generation of error trace
- Skip over or descend into called procedures

- Boolean Programs and Bebop
- Semantics of Boolean Programs
- Technical details of algorithm
- Preliminary Evaluation
- Linear behavior if # vars in scope remains constant
- Self application of Bebop

- Related Work

void level<i>()

begin

decl a,b,c;

if (g) then

while(!a|!b|!c) do

if (!a) then

a := 1;

elsif (!b) then

a,b := 0,1;

elsif (!c) then

a,b,c := 0,0,1;

else

skip;

fi

od

else

<stmt>;

<stmt>;

fi

g := !g;

end

decl g;

voidmain()

begin

level1();

level1();

if(!g) then

reach: skip;

else

skip;

fi

end

- Live variable analysis (LVA)
- A variable x is live at s if there is a path from s to a use of x (with no intervening def of x)
- Used to optimize bebop
- Quantify out variables as soon as they become dead

- How to check correctness of LVA?
- Analysis validation
- Create a boolean program to check results of LVA
- Model check boolean program (w/out LVA)

- Output of LVA: { (s,x) | x is dead at s }
- Boolean program
- Two variables per original program var x:
- x_dead (initially 0)
- x_defined (initially 0)

- For each fact (s,x):
- x_dead, x_defined := 1, 0;

- For each def of x:
- x_defined := 1;

- For each use of x
- if (x_dead && !x_defined) LVAError();

- Two variables per original program var x:
- Query: is LVAError reachable?

- Found subtle error in implementation of LVA
- Was able to show colleague that there was another error, in his code
- Analysis validation now part of regression test suite

- Pushdown Automata (PDA) decidability results
- [Hopcroft-Ullman]

- Model checking PDAs
- [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon]

- Model checking Hierarchical State Machines
- [Alur, Grosu]

- Interprocedural dataflow analysis
- [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]

- Reps-Horwitz-Sagiv (RHS) algorithm
- Handles IFDS problems
- Interprocedural
- Finite domain D
- Distributive dataflow functions (MOP=MFP)
- Subsets of D

- Dataflow as CFL reachability over “exploded graph”

- Handles IFDS problems
- Our results
- RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity
- Reformulated algorithm is easily lifted to powersets of D using BDDs
- Arbitrary dataflow functions
- Path-sensitive

- Bebop: a model checker for boolean programs
- Based on interprocedural dataflow analysis using BDDs
- Exploits procedural abstraction
- Admits many traditional compiler optimizations
- Hierarchical trace generation + DHTML user interface
- Release at end of year

- SLAM project
- Iteratively refine boolean program models of C programs
- Use path simulation to discover relevant predicates (simcl)
- Automated predicate abstraction (c2bp)

Software Productivity Tools

Microsoft Research

http://research.microsoft.com/slam/