320 likes | 528 Views
Compositional May-Must Program Analysis Unleashing the Power of Alternation. Sai Deep Tetali UC Los Angeles. Patrice Godefroid, Aditya V. Nori, Sriram K. Rajamani Microsoft Research. Property checking. Question Does the assertion hold for all possible inputs?. void f() { 0: *p = 4;
E N D
Compositional May-Must Program Analysis Unleashing the Power of Alternation Sai Deep Tetali UC Los Angeles Patrice Godefroid, Aditya V. Nori, Sriram K. Rajamani Microsoft Research
Property checking Question Does the assertion hold for all possible inputs? void f() { 0: *p = 4; 1: *q = 5; 2: assert () } Must analysis: finds bugs, but can’t prove their absence May analysis: can prove the absence of bugs, but can result in false errors • More generally, we are interested in the query
SMASH = Compositional May-Must Analysis • May analysis = predicate abstraction (SLAM) • Must analysis = symbolic execution + tests (DART) • Compositional May-Must analysis: • Interprocedural analysis • Memoize and re-use may/must summaries • Allows fine-grained coupling and alternation SMASH ≫ Compositional-May || Compositional-Must!
Must information test void f() { 0: *p = 4; 1: *q = 5; } • Captures facts that are guaranteed to hold on particular executions of the program (under-approximation) • Error condition is reachable by any input that satisfies
May information proof void f() { 0: *p = 4; 1: *q = 5; } 0 1 1 ( 2 • Captures facts that are true for all executions of the program(over-approximation) • Proof can be obtained by keeping track of the predicates and (
Must analysis • Associate every program point with a set of program states (under-approximation) • Initialize sets at every program point :
Must analysis • Extend sets by forward (under-approximate) analysis • In particular, use
Must analysis • If an state satisfies error condition, • DART[PLDI ’05] is a specific instance
May analysis • Associate every program point with a finite partitionof (over-approximation) • Initialize regions at every program point : 7
May analysis 0 1 2 2 4 3 • Refine abstraction via a backward (over-approximate) analysis • In particular, use for refinement and record deleted abstract edge in 5 6 7
May analysis 0 1 2 2 4 3 • If the error is unreachable in the abstraction, • SLAM [POPL ’02] is a specific instance 5 6 7
May-Must analysis 0 1 frontier 2 4 3 • Check if frontier can be extended by an set 5 6 7
May-Must analysis 0 1 frontier 2 4 3 • Check if frontier can be extended by an set • If yes, grow with 5 6 7
May-Must analysis 0 1 frontier 2 2 4 3 • Check if frontier can be extended by an set • If not, refine with and record deleted abstract edge in • Synergy/Dash[FSE ’06, ISSTA ‘08] are specific instances 5 6 7
Compositional Must analysis must summary • A must summary for a procedure is of the form • can be obtained by executing from an initial state
Compositional Must analysis procedure must summary = • Generate post states by using must summaries
Compositional Must analysis procedure must summary = • Generate post states by using must summaries • If must summary is applicable, use to extend set • If no must summaries are available for procedure , analyze • SMART[POPL ’07] is a specific instance
Compositional May analysis • A for a procedure is of the form • cannot be obtained by executing starting in state
Compositional May analysis procedure 0 1 2 4 3 • Refine the abstraction for procedure by using the for 5 6 7
Compositional May analysis procedure 0 1 2 2 • Refine the abstraction for procedure by using the for • If is applicable, use to refine the abstraction • If summaries are not available for procedure , analyze • SLAM[POPL ’02] is a specific instance 4 3 5 6 7
SMASH 0 must summary procedure 1 frontier 2 4 3 • Base analysis is a may-must analysis (Dash) • Check if frontier can be extended by a must summary 5 6 7
SMASH 0 must summary procedure 1 frontier 2 4 3 • Check if frontier can be extended by a must summary • If yes, grow with 5 6 7
SMASH 0 procedure 1 frontier 2 2 4 3 • Check if frontier can be refined by a • If yes, use to refine the abstraction • If both must and summaries are not available, analyze procedure • for • for 5 6 7
Interplay between and must summaries must must must must must must must must must
Implementation • The SMASH implementation is a deterministic realization of the declarative rules • Input C program is first abstractly interpreted • No pointer arithmetic -- *(p+i) is treated as *p • Logic encoding -- propositional logic, linear arithmetic and uninterpreted functions • Theorem prover: Z3
Evaluation on Windows 7 drivers We have unleashed the power of alternation! 69 drivers (342000 LOC) and 85properties
Summary • SMASH is a unified framework for compositional may-must program analysis • We have explained SMASH in the context of existing analyses (SLAM, DART, Synergy/Dash …) in the area • Empirical evaluation shows that SMASHcan significantly outperform may-only, must-only and non-compositional may-must algorithms