1 / 35

Program Analysis via Satisfiability Modulo Path Programs

Program Analysis via Satisfiability Modulo Path Programs. William Harris , Sriram Sankaranarayanan , Franjo Ivan č i ć , Aarti Gupta. POPL 2010. Assertions as Specifications. Lightweight Often automatic from semantics Null-pointer dereferences Buffer overflows.

jodie
Download Presentation

Program Analysis via Satisfiability Modulo Path Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Analysis viaSatisfiability Modulo Path Programs William Harris, SriramSankaranarayanan, FranjoIvančić, Aarti Gupta POPL2010

  2. Assertions as Specifications • Lightweight • Often automatic from semantics • Null-pointer dereferences • Buffer overflows

  3. proc. foo(int* p, intpLen, int mode) assume (pLen > 1); int off, L := 1, bLen := 0; if (p = NULL) pLen := -1; if (mode = 0) off := 1; else off := 0; while (L <= pLen) bLen := L – off; L := 2 * L; assert(!p || bLen <= pLen);

  4. Path Program: Left Branch, Left Branch L := 1 bLen := 0 pLen >= 1 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 ... Æ p = 0 p != 0 pLen := -1 … Æ p = 0 ÆpLen = -1 mode = 0 mode != 0 … Æ p = 0 Æ mode = 0 off := 1 off := 0 … Æ p = 0 … Æ p = 0 L > pLen p != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  5. Path Program: Left Branch, Right Branch L := 1 bLen := 0 pLen >= 1 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 … Æ p = 0 p != 0 pLen := -1 … Æ p =0 mode = 0 mode != 0 … Æ p = 0 Æ mode  0 off := 0 off := 1 … Æ p = 0 … Æ p = 0 L > pLen L <= pLen bLen := L – off L := L * 2 p != 0 && bLen > pLen False

  6. Path Program: Right Branch, Left Branch L := 1 bLen := 0 pLen >= 1 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 p != 0 pLen := -1 L = 1 ÆbLen = 0 ÆpLen¸ 1 mode = 0 mode != 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 off := 0 off := 1 bLen·pLen bLen·pLen L > pLen L <= pLen bLen := L – off L := L * 2 p != 0 && bLen > pLen False

  7. Path Program: Right Branch, Right Branch L := 1 bLen := 0 pLen >= 1 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 p != 0 pLen := -1 L = 1 ÆbLen = 0 Æ p  0 mode = 0 mode != 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 off := 0 off := 1 bLen·pLen bLen·pLen L > pLen L <= pLen bLen := L – off L := L * 2 p != 0 && bLen > pLen False

  8. Control-Flow Abstraction L := 1 bLen := 0 pLen >= 1 L := 1 bLen := 0 pLen >= 1 bLen·pLen p != 0 bLen·pLen mode != 0 bLen·pLen off := 1 bLen·pLen bLen·pLen L > pLen p != 0 && bLen > pLen p != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  9. Key Issues Need: • abstraction • refinement that allow us to analyze a small set of path programs, generalize proofs.

  10. Road Map • Satisfiability Modulo Path Programs (SMPP) • Experimental Evaluation

  11. Abstraction • Encode unproven path programs as propositional formula. • Query SAT solver for solution. • From the solution, extract an unverified path program.

  12. Propositional Variables for Edges q0 q1 q2 q3 q5 q4 q6 q7 q8 q9

  13. Encoding Path Programs q0 = True q0 q9 q9 = True

  14. Encoding Path Programs q3!exactlyOne(q4, q5) q2!exactlyOne(q4, q5) q4!exactlyOne(q3, q2) q5!exactlyOne(q3, q2) q3 q2 q4 q5

  15. Initial Abstraction of Example q0 Æq0$exactlyOne(q1, q2) Æq1$q3 ÆexactlyOne(q3, q2) $exactlyOne(q4, q5) Æ (q4$q6) Æ (q5$q7) ÆexactlyOne(q6, q7) $q8 Æq8$q9 Æq9 q0 Æq0$exactlyOne(q1, q2) • Æq1$q3 • ÆexactlyOne(q3, q2) $exactlyOne(q4, q5) • Æ(q4$q6) Æ(q5$q7) • ÆexactlyOne(q6, q7) $q8 • Æq8$q9 • Æq9 ¤ :=

  16. A Path Program from a SAT Solution q0 q0 q1 q2 q2 q3 q5 q5 q4 q6 q7 q7 q8 q8 q9 q9

  17. Refinement • Applyprogram analysis oracle to determine safety of path program • If safe, then encode safety in the abstraction

  18. Apply Analysis Oracle: Naïve L := 1 bLen := 0 pLen >= 1 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 p != 0 pLen := -1 L = 1 ÆbLen = 0 Æ p  0 mode = 0 mode != 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 off := 0 off := 1 bLen·pLen bLen·pLen L > pLen p != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  19. Prop. Encoding: Naïve q0 q1 q2 q3 q4 q5 q6 q7 q8 q9

  20. Naïve Blocking Clause ¤ := ¤Æ : (q0Æ q2Æ q5Æ q7Æ q8Æ q9)

  21. Apply Analysis Oracle: Local Repair L := 1 bLen := 0 pLen >= 1 L = 1 ÆbLen = 0 ÆpLen¸1 p = 0 p != 0 pLen := -1 L = 1 ÆbLen = 0 ÆpLen¸ 1 Æ p  0 mode = 0 mode != 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 Æ p  0 Æmode  0 off := 0 off := 1 bLen·pLen Æ off = 1 bLen·pLen Æ off = 1 L > pLen P != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  22. Apply Analysis Oracle: Local Repair L := 1 bLen := 0 pLen >= 1 L := 1 bLen := 0 pLen >= 1 L = 1 ÆbLen = 0 ÆpLen¸ 1 p = 0 p != 0 pLen := -1 pLen := -1 L = 1 ÆbLen = 0 ÆpLen¸ 1 Æ p  0 L = 1 ÆbLen = 0 ÆpLen¸ 1 mode = 0 mode != 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 L = 1 ÆbLen = 0 ÆpLen¸ 1 Æ p  0 Æ Mode  0 off := 0 off := 1 bLen·pLen bLen·pLenÆ off = 1 bLen·pLen Æ off = 1 bLen·pLen L > pLen p != 0 && bLen > pLen p != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  23. Prop. Encoding: Local Repair q0 q1 q2 q3 q4 q5 q6 q7 q8 q9

  24. Blocking Clause with Local Repair (:(q0Æq9) Çq3) : (q0Æq2Æq5Æq7Æq8Æq9) ¤ := ¤Æ

  25. One More Path Program Suffices L := 1 bLen := 0 pLen >= 1 p = 0 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 ... Æ p = 0 p != 0 pLen := -1 … Æ p = 0 ÆpLen = -1 mode = 0 mode != 0 … Æ p = 0 Æ mode = 0 off := 0 off := 1 … Æ p = 0 … Æ p = 0 L > pLen L <= pLen bLen := L – off L := L * 2 p != 0 && bLen > pLen p != 0 && bLen > pLen False

  26. Experiments

  27. Zitser Benchmarks • Real world programs: • wu-ftpd • bind • sendmail • Checked for buffer overflow bugs • BLAST proves more properties on average • SMPP completes faster (>100x)

  28. Larger Benchmarks • Real-world programs: • thttpd • ssh-server • xvidcore • Checked function pre, post conditions for buffer accesses • SMPP proved ~35% of thousands of properties

  29. Conclusion • SMPP uses a symbolic abstraction refinement scheme forcontrol-flow. • SMPP is slightly coarser than predicate abstraction, but converges much faster.

  30. Questions?

  31. Predicate Abstraction L := 1 bLen := 0 pLen >= 1 : (bLen·pLen) bLen·pLen p != 0 bLen·pLen : (bLen·pLen) mode != 0 : (bLen·pLen) bLen·pLen : (bLen·pLen) off := 1 L > pLen bLen·pLen bLen·pLen : (bLen·pLen) p != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  32. SMPP: Path Program 1 L := 1 bLen := 0 pLen >= 1 L := 1 bLen := 0 pLen >= 1 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 p != 0 pLen := -1 pLen := -1 L = 1 ÆbLen = 0 Æ p  0 mode = 0 mode != 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 off := 0 off := 1 bLen·pLen bLen·pLen L > pLen p != 0 && bLen > pLen p != 0 && bLen > pLen L <= pLen bLen := L – off L := L * 2 False

  33. SMPP: Path Program 2 L := 1 bLen := 0 pLen >= 1 p = 0 p = 0 L = 1 ÆbLen = 0 ÆpLen¸ 1 ... Æ p = 0 p != 0 pLen := -1 … Æ p = 0 ÆpLen = -1 mode = 0 mode != 0 … Æ p = 0 Æ mode = 0 off := 0 off := 1 … Æ p = 0 … Æ p = 0 L > pLen L <= pLen bLen := L – off L := L * 2 p != 0 && bLen > pLen p != 0 && bLen > pLen False

  34. Problem Statement SMT SMPP Given a disjunctive formula branching program determine satisfiability safety using theory solvers analyses for conjunctive formulas. path programs.

  35. Key Analog • Abstraction using a propositional encoding • Refinement using blocking clauses conjoined to abstraction

More Related