1 / 14

Error Explanation with Distance Metrics

Learn about producing explanations using distance metrics. Understand how CBMC model checker works and perform experiments to find successful executions. Dive into metric d based on Static Single Assignment (SSA).

dwinn
Download Presentation

Error Explanation with Distance Metrics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Error Explanation with Distance Metrics 2006.11.2 최윤라

  2. Contents • Overview • Distance Metric d • Producing Explanation (s) • -Slicing • Experiments

  3. Overview P + spec counterexample counterexample CBMC explain s closest successful execution S S’ SAT solver PBS finds closest successful execution as measured by distance metric finds a counterexample

  4. Explanation with distance metrics • The metric d is based on Static Single Assignment (SSA) (plus loop unrolling). • CBMC model checker (bounded model checker for C programs) translates an ANSI C program into a set of equations. • An execution of the program is just a solution to this set of equations.

  5. SSA Transformation • int main () { • int input1#0,input2#0,input3#0; • int least#0 = input1#0; • int most#0 = input1#0; • most#1 = input2#0; • guard#1 = most#0<input2#0; • most#2=guard#1?most#1:most#0; • most#3 = input3#0; • guard#2 = most#2<input3#0; • most#4=guard#2?most#3:most#2; • most#5 = input2#0; • guard#3 = least#0input2#0; • most#6=guard#3?most#5:most#4; • least#1 = input3#0; • guard#4 = least#0input3#0; • least#2= • guard#4?least#1:least#0; • assert(least#2<=most#6); • } • int main () { • int input1, input2, input3; • int least = input1; • int most = input1; • if (most < input2) • most = input2; • if (most < input3) • most = input3; • if (least > input2) • most = input2; • if (least > input3) • least = input3; • assert(least<=most); • }

  6. Transformation to Equations • int main () { • int input1#0,input2#0,input3#0; • int least#0 = input1#0; • int most#0 = input1#0; • most#1 = input2#0; • guard#1 = most#0<input2#0; • most#2=guard#1?most#1:most#0; • most#3 = input3#0; • guard#2 = most#2<input3#0; • most#4=guard#2?most#3:most#2; • most#5 = input2#0; • guard#3 = least#0input2#0; • most#6=guard#3?most#5:most#4; • least#1 = input3#0; • guard#4 = least#0input3#0; • least#2= • guard#4?least#1:least#0; • assert(least#2<=most#6); • } • (least#0 == input1#0  • most#0 == input1#0  • most#1 == input2#0  • guard#1 == most#0<input2#0  • most#2==guard#1?most#1:most#0 • most#3 == input3#0  • guard#2 == most#2<input3#0  • most#4==guard#2?most#3:most#2 • most#5 == input2#0  • guard#3 == least#0input2#0  • most#6==guard#3?most#5:most#4 • least#1 == input3#0  • guard#4 == least#0input3#0  • least#2== • guard#4?least#1:least#0  • least#2<=most#6)

  7. Negation of Claim • int main () { • int input1#0,input2#0,input3#0; • int least#0 = input1#0; • int most#0 = input1#0; • most#1 = input2#0; • guard#1 = most#0<input2#0; • most#2=guard#1?most#1:most#0; • most#3 = input3#0; • guard#2 = most#2<input3#0; • most#4=guard#2?most#3:most#2; • most#5 = input2#0; • guard#3 = least#0input2#0; • most#6=guard#3?most#5:most#4; • least#1 = input3#0; • guard#4 = least#0input3#0; • least#2= • guard#4?least#1:least#0; • assert(least#2<=most#6); • } • (least#0 == input1#0  • most#0 == input1#0  • most#1 == input2#0  • guard#1 == most#0<input2#0  • most#2==guard#1?most#1:most#0 • most#3 == input3#0  • guard#2 == most#2<input3#0  • most#4==guard#2?most#3:most#2 • most#5 == input2#0  • guard#3 == least#0input2#0  • most#6==guard#3?most#5:most#4 • least#1 == input3#0  • guard#4 == least#0input3#0  • least#2== • guard#4?least#1:least#0  • least#2>most#6)

  8. Execution Representation counterexample • input1#0 = 1 • input2#0 = 0 • input3#0 = 1 • least#0 = 1 • most#0 = 0 • \guard#1 = FALSE • most#1 = 0 • most#2 = 1 • \guard#2 = FALSE • most#3 = 1 • most#4 = 1 • \guard#3 = TRUE • most#5 = 0 • most#6 = 0 • \guard#4 = FALSE • \least#1 = 1 • \least#2 = 1 • (least#0 == input1#0  • most#0 == input1#0  • most#1 == input2#0  • guard#1 == most#0<input2#0  • most#2==guard#1?most#1:most#0 • most#3 == input3#0  • guard#2 == most#2<input3#0  • most#4==guard#2?most#3:most#2 • most#5 == input2#0  • guard#3 == least#0input2#0  • most#6==guard#3?most#5:most#4 • least#1 == input3#0  • guard#4 == least#0input3#0  • least#2== • guard#4?least#1:least#0  • least#2>most#6)

  9. Distance Metric d counterexample successful execution • input1#0 = 1 • input2#0 = 0 • input3#0 = 1 • least#0 = 1 • most#0 = 1 • \guard#1 = FALSE • most#1 = 0 • most#2 = 1 • \guard#2 = FALSE • most#3 = 1 • most#4 = 1 • \guard#3 = TRUE • most#5 = 0 • most#6 = 0 • \guard#4 = FALSE • \least#1 = 1 • \least#2 = 1 • input1#0 = 1 • input2#0 = 1 • input3#0 = 1 • least#0 = 1 • most#0 = 1 • \guard#1 = FALSE • most#1 = 1 • most#2 = 1 • \guard#2 = FALSE • most#3 = 1 • most#4 = 1 • \guard#3 = FALSE • most#5 = 1 • most#6 = 1 • \guard#4 = FALSE • \least#1 = 1 • \least#2 = 1 d=5

  10. New SAT variables counterexample • input1#0 = 1 • input2#0 = 0 • input3#0 = 1 • least#0 = 1 • most#0 = 1 • \guard#1 = FALSE • most#1 = 0 • most#2 = 1 • \guard#2 = FALSE • most#3 = 1 • most#4 = 1 • \guard#3 = TRUE • most#5 = 0 • most#6 = 0 • \guard#4 = FALSE • \least#1 = 1 • \least#2 = 1 • input1#0 == (input1#0 != 1) • input2#0 == (input2#0 != 0) • input3#0 == (input3#0 != 1) • least#0 == (least#0 != 1) • most#0 == (most#0 != 1) • \guard#1 == (\guard#1 != FALSE) • most#1 == (most#1 == 0) • most#2 == (most#2 == 1) • \guard#2 == (\guard#2 != FALSE) • most#3 == (most#3 != 1) • most#4 == (most#4 != 1) • \guard#3 == (\guard#3 != TRUE) • most#5 == (most#5 != 0) • most#6 == (most#6 != 0) • \guard#4 == (\guard#4 != FALSE) • \least#1 == (\least#1 != 1) • \least#2 == (\least#2 != 1)

  11. -Slicing • int main () { • int input1,input2; • int x=1,y=1,z=1; • if (input1 > 0) { • x += 5; • y += 6; • z += 4; • } • if (input2 > 0) { • x += 6; • y += 5; • z += 4; • } • assert((x<10)||(y<10)); • } irrelevant to assertion ! What is the smallest subset of changes in values between two executions that result in a change in the value of the predicate?

  12. algorithm • Produce an explanation (a set of s) for a counterexample. • Modify the SAT constraints • replace the constraints for variables in s with (vi=valia)((vi=valib)(vi=expr)) • replace the constraints for all other vars with vi=valia • Find a new solution to the modified constraint system.

  13. -Slicing for the Example partial constraints for slice.c -slicing constraints for slice.c -slice for slice.c

  14. Experiments • Scores were generally much better than other methods—when they could be applied at all. • Much more consistent. • Testing-based methods of Renieris and Reiss occasionally worked better • Also gave useless (score 0) explanations much of the time.

More Related