Bebop a symbolic model checker for boolean programs l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Bebop : A Symbolic Model Checker for Boolean Programs PowerPoint PPT Presentation


  • 178 Views
  • Uploaded on
  • Presentation posted in: General

Bebop : A Symbolic Model Checker for Boolean Programs. Thomas Ball Sriram K. Rajamani. http://research.microsoft.com/slam/. Outline. Boolean Programs and Bebop What? Why? Results Demo Semantics of Boolean Programs Technical details of algorithm Evaluation Related Work.

Download Presentation

Bebop : A Symbolic Model Checker for Boolean Programs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Bebop a symbolic model checker for boolean programs l.jpg

Bebop: A Symbolic Model Checker for Boolean Programs

Thomas Ball

Sriram K. Rajamani

http://research.microsoft.com/slam/


Outline l.jpg

Outline

  • Boolean Programs and Bebop

    • What?

    • Why?

    • Results

    • Demo

  • Semantics of Boolean Programs

  • Technical details of algorithm

  • Evaluation

  • Related Work


Boolean programs what l.jpg

Boolean Programs: What

  • Model for representing abstractions of imperative programs in C, C#, Java, etc.

  • Features:

    • Boolean variables

    • Control-flow: sequencing, conditionals, looping, GOTOs

    • Procedures

      • Call-by-value parameter passing

      • recursion

    • Control non-determinism


Boolean programs why l.jpg

Boolean programs: Why

bool x,y;

[1] while (true) {

[2] if(x == y) {

[3]y = !x;

}

else{

[4]x = !x;

[5]y = !y;

}

[6]if (?) break;

}

[7] if(x == y)

[8]assert (false);

Representation of program abstractions, a la Cousots

Each boolean variable represents a predicate:

  • (i < j)

  • (*p==i) && ( (int) p == j)

  • (p  T), where T is recursive data type

  • [Graf-Saidi]


Bebop results l.jpg

Bebop - Results

  • Reachability in boolean programs reduced to context-free language reachability

  • Symbolic interprocedural dataflow analysis

    • Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm

  • Complexity of algorithm is O(E  2n)

    • E = size of interprocedural control flow graph

    • n = max. number of variables in the scope of any label


Bebop results6 l.jpg

Bebop - Results

  • Admits control flow + variables

    • Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.]

  • Analyzes procedures separately

    • exploits procedural abstraction + locality of variable scopes

  • Uses hybrid representation

    • Explicit representation of control flow graph, as in a compiler

    • Implicit representation of reachable states via BDDs

  • Generates hierarchical trace


Bebop demo l.jpg

Bebop Demo!


Outline8 l.jpg

Outline

  • Boolean Programs and Bebop

  • Semantics of Boolean Programs

    • “stackless” semantics using context-free grammar

  • Technical details of algorithm

  • Evaluation

  • Related Work


Stackless semantics l.jpg

Stackless Semantics

  • State  = <p,>

    • p = program counter

    •  = valuation to variables in scope at p

    • No stack!

  • (B): finite alphabet over boolean program B

    • <call,p,>

      • Call (with return to p),  a valuation to Locals(p)

    • <ret,p,>

      • Return to p,  a valuation to Locals(p)


State transition p p l.jpg

  • ’(x) = (x), x in Locals(c)

  • ’(g) = (g), g a global

<c:Pr(), >

<d: Proc Pr(),’>

<e, ’>

<r, >

 = <call,e,>

 = <ret,e,>

State transition <p,> --> <p’,’>

(x) = (x), x in Locals(c)

’(g) = (g), g a global


Trace semantics l.jpg

Trace Semantics

  • Context-free grammar L(B) constrains allowable traces

    • M -> <call,q,> M <ret,q,>

    • M -> M M

    • M -> 

  • 0 -1-> 1 -2-> … m-1 -m-> m is a trajectory of B iff

    • i -i+1-> i+1 is a state transition, for all i

    • 1 2 … m  L(B)


Outline12 l.jpg

Outline

  • Boolean Programs and Bebop

  • Semantics of Boolean Programs

  • Technical details of reachability algorithm

    • Binary Decision Diagrams (BDDs)

    • Path edges

    • Summary edges

    • Example

  • Preliminary Evaluation

  • SLAM Project


Binary decision diagrams l.jpg

x

y

y

z

z

z

z

1

1

0

0

0

0

1

1

Binary Decision Diagrams

  • Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors)

  • F(x,y,z) = (x=y)


Hash consing variable elimination l.jpg

x

y

y

x

z

y

y

x

0

0

y

y

1

z

z

z

z

z

1

1

1

0

0

0

0

1

1

Hash Consing + Variable Elimination


Path edges l.jpg

Path Edges

  • <e,p>  PE(p), iff

    • Exists initialized trajectory ending in <e,e>, where e = entry(Proc(p))

    • Exists trajectory from <e,e> to <p,p>

  • PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p)

    • Can be represented with a BDD!


Representing path edges with bdds l.jpg

Representing Path Edges with BDDs

  • Example PE(p) for boolean variables x,y and z:

    • PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

  • BDDs also used to represent transfer functions for statements

    • Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)


Slide17 l.jpg

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

1

g'=0^h'=1

|g'=1^h'=0

g=g’=0^a1=a1’=0^a2=a2’=1

| g=g’=1^a1=a1’=1^a2=a2’=0

g=g’=0^a1=a1’=0^a2=a2’=1

g=0^g’=1^a1=a1’=0^a2=a2’=1

Join(S,T) = { <1,2> | <1,J>S,

<J,2>T }

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end


Summary edges 1 2 lift d r pr l.jpg

Summary Edges<1,2> = Lift(<d,r>,Pr)

  • 1(x) = 2(x), x in Locals(c)

    • Locals don’t change

  • 1(g) = d(g) and r(g) = 2(g), g global

    • Propagation of global state

<1,2>

c: Pr()

d: Proc Pr()

e

r

<d,r>


Slide19 l.jpg

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g=0^g’=1^h=h’=1

g=0^g’=1^h=h’=1

g=0^g’=1^a1=a1’=1^a2=a2’=0

g=0^g’=1^a1=a1’=0^a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end


Slide20 l.jpg

decl g;

void main()

begin

decl h;

h := !g;

A(g,h);

skip;

A(g,h);

skip;

if (g) then

R: skip;

fi

end

g'=0^h'=1

|g'=1^h'=0

1

g=0^g’=1^h=h’=1

g’=h’=1

g=g’=a1=a1’=a2=a2’=1

g=g’=a1=a1’=a2=a2’=1

void A(a1,a2)

begin

if (a1) then

A(a2,a1);

skip;

else

g := a2;

fi

end


Worklist algorithm l.jpg

Worklist Algorithm

  • while PE(v) has changed, for some v

    • Determine if any new path edges can be generated

      • New path edge comes from

        • Existing path edge + transfer function

        • Existing path edge + summary edge (transfer function for procedure calls)

      • New summary edges generated from path edges that reach exit vertex


Generating error traces l.jpg

Generating Error Traces

  • Partition reachable states into “rings”

    • A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R

  • Hierarchical generation of error trace

    • Skip over or descend into called procedures


Outline23 l.jpg

Outline

  • Boolean Programs and Bebop

  • Semantics of Boolean Programs

  • Technical details of algorithm

  • Preliminary Evaluation

    • Linear behavior if # vars in scope remains constant

    • Self application of Bebop

  • Related Work


Slide24 l.jpg

void level<i>()

begin

decl a,b,c;

if (g) then

while(!a|!b|!c) do

if (!a) then

a := 1;

elsif (!b) then

a,b := 0,1;

elsif (!c) then

a,b,c := 0,0,1;

else

skip;

fi

od

else

<stmt>;

<stmt>;

fi

g := !g;

end

decl g;

voidmain()

begin

level1();

level1();

if(!g) then

reach: skip;

else

skip;

fi

end


Application analysis validation l.jpg

Application: Analysis Validation

  • Live variable analysis (LVA)

    • A variable x is live at s if there is a path from s to a use of x (with no intervening def of x)

    • Used to optimize bebop

      • Quantify out variables as soon as they become dead

  • How to check correctness of LVA?

    • Analysis validation

    • Create a boolean program to check results of LVA

    • Model check boolean program (w/out LVA)


Analysis validation l.jpg

Analysis Validation

  • Output of LVA: { (s,x) | x is dead at s }

  • Boolean program

    • Two variables per original program var x:

      • x_dead (initially 0)

      • x_defined (initially 0)

    • For each fact (s,x):

      • x_dead, x_defined := 1, 0;

    • For each def of x:

      • x_defined := 1;

    • For each use of x

      • if (x_dead && !x_defined) LVAError();

  • Query: is LVAError reachable?


Results l.jpg

Results

  • Found subtle error in implementation of LVA

  • Was able to show colleague that there was another error, in his code

  • Analysis validation now part of regression test suite


Related work l.jpg

Related Work

  • Pushdown Automata (PDA) decidability results

    • [Hopcroft-Ullman]

  • Model checking PDAs

    • [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon]

  • Model checking Hierarchical State Machines

    • [Alur, Grosu]

  • Interprocedural dataflow analysis

    • [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]


Related work30 l.jpg

Related Work

  • Reps-Horwitz-Sagiv (RHS) algorithm

    • Handles IFDS problems

      • Interprocedural

      • Finite domain D

      • Distributive dataflow functions (MOP=MFP)

      • Subsets of D

    • Dataflow as CFL reachability over “exploded graph”

  • Our results

    • RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity

    • Reformulated algorithm is easily lifted to powersets of D using BDDs

      • Arbitrary dataflow functions

      • Path-sensitive


Summary l.jpg

Summary

  • Bebop: a model checker for boolean programs

    • Based on interprocedural dataflow analysis using BDDs

    • Exploits procedural abstraction

    • Admits many traditional compiler optimizations

    • Hierarchical trace generation + DHTML user interface

    • Release at end of year

  • SLAM project

    • Iteratively refine boolean program models of C programs

    • Use path simulation to discover relevant predicates (simcl)

    • Automated predicate abstraction (c2bp)


Software productivity tools microsoft research http research microsoft com slam l.jpg

Software Productivity Tools

Microsoft Research

http://research.microsoft.com/slam/


  • Login