1 / 16

Lazy Symbolic Execution for Enhanced Learning

Lazy Symbolic Execution for Enhanced Learning. Vijayaraghavan Murali National University of Singapore Co-authors: Duc-Hiep Chu, Joxan Jaffar. Symbolic Execution. Setting: Program Verification Execute program with symbolic inputs Collect constraints in “path condition”

tory
Download Presentation

Lazy Symbolic Execution for Enhanced Learning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lazy Symbolic Execution for Enhanced Learning VijayaraghavanMurali National University of Singapore Co-authors: Duc-Hiep Chu, JoxanJaffar

  2. Symbolic Execution • Setting: Program Verification • Execute program with symbolic inputs • Collect constraints in “path condition” • Satisfiability check (SMT/constraint solver) • If UNSAT stop exploring path • “Eagerness” • Advantage: No spurious counter-examples, refinement etc. • Problem: path-explosion c1 Exponential! d e

  3. Symbolic Execution • Interpolation [Jaffar CP’09] [McMillan CAV’10] • “Learn” interpolants from symbolic paths • Formula that succinctly captures reason for infeasibility of paths (reason for safety) • If interpolant is implied by path condition, subsume/cover/prune the path • IMPACT, TRACER, UFO, etc. • Quality of interpolantscontrols the amount of subsumption • The more general (weaker) the better c1 c2 c2 d e

  4. Eager vs Learning • Eagerness stops SE at infeasibility and computes an interpolant to capture it x = y = 0 if () y++ else x++ if () y++ else x++ … if () y++ else x++ assert(y n) x = y = 0 if () y+=2 if () y+=2 … if () y+=2 assert(y n) û ü EAG EAG ü û NON-EAG NON-EAG

  5. Eager vsLearning • No clear “silver bullet” solution • In practice, safety properties are only on a small subset of variables whereas program guards can be on any (unrelated) ones • Number of path expressions that need to be considered for safety is relatively small in practice • How to find these “relevant” path expressions effectively? • Our proposal: speculation

  6. Example

  7. Speculation • Speculate that an infeasible guard is irrelevant for safety • If safety can be proved without it, produce better (weaker) interpolant • Give up speculation after “sometime”

  8. Example (with speculation)

  9. Two important decisions • How to speculate? (make UNSAT formula SAT) • Correction subset • Delete the last encountered guard • When to stop speculative search? (bound) • Linear bound: each PP should be explored at most once • Anything less than linear bound makes speculation arbitrarily short • Experiments show that linear bound is good enough

  10. Points to note • Speculation can fail if • The guard was relevant for safety – we can still learn interpolants on other (irrelevant) guards during speculation • The bound was exceeded – increasing the bound not likely to result in better interpolants • Does speculation always produce better interpolants? • Monotonic(when , interpolant wrtinterpolant wrt)

  11. Experiments • Implemented speculation on TRACER (eager) framework • Benchmarks are safe sequential C programs • Ntdrivers SV-COMP’13, linux drivers, tcas, Malardalen WCET • Safe programs ensure full search of program’s state space • TRACER competitive with CPA & IMPACT

  12. Experiments • Speculation provided smaller number of interpolants while simultaneously increasing subsumption • The quality of interpolants discovered by speculation is enhanced

  13. Experiments • 363 variables involved in interpolants w/o speculation, whereas only 229 with speculation • Speculation has 40-90% success rate at speculation point • Failure occurs overwhelmingly due to the guard being relevant for safety, not the bound being exhausted • Increasing the bound gives diminishing returns • Linear bound is “necessary” in principle and “sufficient” in practice

  14. Related Work • Symbolic Execution used in verification, testing, analysis • KLEE [OSDI’08], SAGE [Queue’12], TRACER [SAS’12] • Interpolation for scalability • IMPACT [CAV’10], TRACER [CAV’12], UFO [TACAS’13] • Property Directed Reachability • [FMCAD’11], [SAT’12], [DATE’13] • CEGAR [CAV’00, …] • Spurious counter-examples, expensive refinement schemes • Orthogonal: unbounded loops cause SE to not terminate • We used existing loop invariant discovery methods [Jaffar RV’11]

  15. Future Work • SMT solver = DPLL SAT + T-solvers • Eager – at conflict, DPLL propagates “conflict clauses” (interpolants) and immediately backtracks • Speculation can discover conflict clauses related to property • Challenges • Decision graph - speculation bound needs to be redefined • No error locations • Dynamic Heuristics

  16. Thank You!

More Related