1 / 28

Compositional May-Must Program Analysis Unleashing the Power of Alternation

Compositional May-Must Program Analysis Unleashing the Power of Alternation. Sai Deep Tetali UC Los Angeles. Patrice Godefroid, Aditya V. Nori, Sriram K. Rajamani Microsoft Research. Property checking. Question Does the assertion hold for all possible inputs?. void f() { 0: *p = 4;

vail
Download Presentation

Compositional May-Must Program Analysis Unleashing the Power of Alternation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compositional May-Must Program Analysis Unleashing the Power of Alternation Sai Deep Tetali UC Los Angeles Patrice Godefroid, Aditya V. Nori, Sriram K. Rajamani Microsoft Research

  2. Property checking Question Does the assertion hold for all possible inputs? void f() { 0: *p = 4; 1: *q = 5; 2: assert () } Must analysis: finds bugs, but can’t prove their absence May analysis: can prove the absence of bugs, but can result in false errors • More generally, we are interested in the query

  3. SMASH = Compositional May-Must Analysis • May analysis = predicate abstraction (SLAM) • Must analysis = symbolic execution + tests (DART) • Compositional May-Must analysis: • Interprocedural analysis • Memoize and re-use may/must summaries • Allows fine-grained coupling and alternation SMASH ≫ Compositional-May || Compositional-Must!

  4. Must information test void f() { 0: *p = 4; 1: *q = 5; } • Captures facts that are guaranteed to hold on particular executions of the program (under-approximation) • Error condition is reachable by any input that satisfies

  5. May information proof void f() { 0: *p = 4; 1: *q = 5; } 0 1 1 ( 2 • Captures facts that are true for all executions of the program(over-approximation) • Proof can be obtained by keeping track of the predicates and (

  6. Must analysis • Associate every program point with a set of program states (under-approximation) • Initialize sets at every program point :

  7. Must analysis • Extend sets by forward (under-approximate) analysis • In particular, use

  8. Must analysis • If an state satisfies error condition, • DART[PLDI ’05] is a specific instance

  9. May analysis • Associate every program point with a finite partitionof (over-approximation) • Initialize regions at every program point : 7

  10. May analysis 0 1 2 2 4 3 • Refine abstraction via a backward (over-approximate) analysis • In particular, use for refinement and record deleted abstract edge in 5 6 7

  11. May analysis 0 1 2 2 4 3 • If the error is unreachable in the abstraction, • SLAM [POPL ’02] is a specific instance 5 6 7

  12. May-Must analysis 0 1 frontier 2 4 3 • Check if frontier can be extended by an set 5 6 7

  13. May-Must analysis 0 1 frontier 2 4 3 • Check if frontier can be extended by an set • If yes, grow with 5 6 7

  14. May-Must analysis 0 1 frontier 2 2 4 3 • Check if frontier can be extended by an set • If not, refine with and record deleted abstract edge in • Synergy/Dash[FSE ’06, ISSTA ‘08] are specific instances 5 6 7

  15. Compositional Must analysis must summary • A must summary for a procedure is of the form • can be obtained by executing from an initial state

  16. Compositional Must analysis procedure must summary = • Generate post states by using must summaries

  17. Compositional Must analysis procedure must summary = • Generate post states by using must summaries • If must summary is applicable, use to extend set • If no must summaries are available for procedure , analyze • SMART[POPL ’07] is a specific instance

  18. Compositional May analysis • A for a procedure is of the form • cannot be obtained by executing starting in state

  19. Compositional May analysis procedure 0 1 2 4 3 • Refine the abstraction for procedure by using the for 5 6 7

  20. Compositional May analysis procedure 0 1 2 2 • Refine the abstraction for procedure by using the for • If is applicable, use to refine the abstraction • If summaries are not available for procedure , analyze • SLAM[POPL ’02] is a specific instance 4 3 5 6 7

  21. SMASH 0 must summary procedure 1 frontier 2 4 3 • Base analysis is a may-must analysis (Dash) • Check if frontier can be extended by a must summary 5 6 7

  22. SMASH 0 must summary procedure 1 frontier 2 4 3 • Check if frontier can be extended by a must summary • If yes, grow with 5 6 7

  23. SMASH 0 procedure 1 frontier 2 2 4 3 • Check if frontier can be refined by a • If yes, use to refine the abstraction • If both must and summaries are not available, analyze procedure • for • for 5 6 7

  24. Interplay between and must summaries must must must must must must must must must

  25. Implementation • The SMASH implementation is a deterministic realization of the declarative rules • Input C program is first abstractly interpreted • No pointer arithmetic -- *(p+i) is treated as *p • Logic encoding -- propositional logic, linear arithmetic and uninterpreted functions • Theorem prover: Z3

  26. Evaluation on Windows 7 drivers We have unleashed the power of alternation! 69 drivers (342000 LOC) and 85properties

  27. Summary • SMASH is a unified framework for compositional may-must program analysis • We have explained SMASH in the context of existing analyses (SLAM, DART, Synergy/Dash …) in the area • Empirical evaluation shows that SMASHcan significantly outperform may-only, must-only and non-compositional may-must algorithms

  28. http://research.microsoft.com/yogi

More Related