1 / 11

Using Boolean Satisfiability for Path Sensitive Analysis

Using Boolean Satisfiability for Path Sensitive Analysis. Yichen Xie, Andy Chou. SAT. Classic NP-complete problem Backend for many tools in verification, AI, etc. Much recent work: Chaff / Grasp / SATO / GSAT SAT problem P = conjunction of clauses Clause = Disjunction of literals

starbuck
Download Presentation

Using Boolean Satisfiability for Path Sensitive Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Boolean Satisfiability for Path Sensitive Analysis Yichen Xie, Andy Chou

  2. SAT • Classic NP-complete problem • Backend for many tools in verification, AI, etc. • Much recent work: • Chaff / Grasp / SATO / GSAT • SAT problem P = conjunction of clauses • Clause = Disjunction of literals • Literal = v orv • Example: (x  y)  (x  y) • A is a satisfying assignment if P(A) = true

  3. Motivation • Eliminate false positives from false paths • Reasoning about values • Integer overflows • Buffer overruns • Off-by-one errors • Branch correlations / Path sensitivity • Take advantage of SAT solver improvements

  4. Modeling Properties if(x) lock(l); if(x) unlock(l); if(x) { assert(l == unlocked); l = locked } if(x) { assert(l == locked); l = unlocked; }

  5. Translating Expressions • X => [x31 x30 …x0] • Expressions: Build circuit for operations • X != 0 => x31x30 …  x0 • X == 0 => (x31x30 …  x0) • X == Y => (x31=y31 …  x0=y0) • Addition: ripple-carry adder • Multiply by constant: Booth’s algorithm • Negative numbers: 2’s complement • Bit operations easy • Captures effect of overflow

  6. Translating Statements • SSA Transformation Table T(v) = vi • Assignment T[e] => E T’ = Rename(x, T) T[x = e] => (T’(x) = E), T’

  7. Translating Control Flow • Similar to verification condition generation • See the ESC/Java paper we read • Build path expression (regular expression of edges in CFG) • Translate path expression • Sequence => AND • Branch => OR • Loop => Desugar and unroll

  8. Demo

  9. Related Work • Metal - adds path sensitivity • ESC • simpler slicing, variable renaming • interprocedural • annotations optional • SLAM/Lazy Abstraction • no iteration; guaranteed to converge • no need to “discover” predicates • SAT > Model checking

  10. Related Work • ESP • Catch more than constants • Prefix • Sound • Simultaneously simulate all paths • Model Checking • Eats too much memory for many problems

  11. Future Work • Slice w.r.t. transitions • Only extract variables that influence transitions • Unroll loops & recursion enough times to get all possible transitions

More Related