1 / 32

Bebop : A Symbolic Model Checker for Boolean Programs

Bebop : A Symbolic Model Checker for Boolean Programs. Thomas Ball Sriram K. Rajamani. http://research.microsoft.com/slam/. Outline. Boolean Programs and Bebop What? Why? Results Demo Semantics of Boolean Programs Technical details of algorithm Evaluation Related Work.

zoltin
Download Presentation

Bebop : A Symbolic Model Checker for Boolean Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani http://research.microsoft.com/slam/

  2. Outline • Boolean Programs and Bebop • What? • Why? • Results • Demo • Semantics of Boolean Programs • Technical details of algorithm • Evaluation • Related Work

  3. Boolean Programs: What • Model for representing abstractions of imperative programs in C, C#, Java, etc. • Features: • Boolean variables • Control-flow: sequencing, conditionals, looping, GOTOs • Procedures • Call-by-value parameter passing • recursion • Control non-determinism

  4. Boolean programs: Why bool x,y; [1] while (true) { [2] if(x == y) { [3] y = !x; } else{ [4] x = !x; [5] y = !y; } [6] if (?) break; } [7] if(x == y) [8] assert (false); Representation of program abstractions, a la Cousots Each boolean variable represents a predicate: • (i < j) • (*p==i) && ( (int) p == j) • (p  T), where T is recursive data type • [Graf-Saidi]

  5. Bebop - Results • Reachability in boolean programs reduced to context-free language reachability • Symbolic interprocedural dataflow analysis • Adaptation of [Reps-Horwitz-Sagiv, POPL’95] algorithm • Complexity of algorithm is O(E  2n) • E = size of interprocedural control flow graph • n = max. number of variables in the scope of any label

  6. Bebop - Results • Admits control flow + variables • Existing pushdown model checkers don’t use variables (encode variable values explicitly in state) [Esparaza, et al.] • Analyzes procedures separately • exploits procedural abstraction + locality of variable scopes • Uses hybrid representation • Explicit representation of control flow graph, as in a compiler • Implicit representation of reachable states via BDDs • Generates hierarchical trace

  7. Bebop Demo!

  8. Outline • Boolean Programs and Bebop • Semantics of Boolean Programs • “stackless” semantics using context-free grammar • Technical details of algorithm • Evaluation • Related Work

  9. Stackless Semantics • State  = <p,> • p = program counter •  = valuation to variables in scope at p • No stack! • (B): finite alphabet over boolean program B • <call,p,> • Call (with return to p),  a valuation to Locals(p) • <ret,p,> • Return to p,  a valuation to Locals(p)

  10. ’(x) = (x), x in Locals(c) • ’(g) = (g), g a global <c:Pr(), > <d: Proc Pr(),’> <e, ’> <r, >  = <call,e,>  = <ret,e,> State transition <p,> --> <p’,’> (x) = (x), x in Locals(c) ’(g) = (g), g a global

  11. Trace Semantics • Context-free grammar L(B) constrains allowable traces • M -> <call,q,> M <ret,q,> • M -> M M • M ->  • 0 -1-> 1 -2-> … m-1 -m-> m is a trajectory of B iff • i -i+1-> i+1 is a state transition, for all i • 1 2 … m  L(B)

  12. Outline • Boolean Programs and Bebop • Semantics of Boolean Programs • Technical details of reachability algorithm • Binary Decision Diagrams (BDDs) • Path edges • Summary edges • Example • Preliminary Evaluation • SLAM Project

  13. x y y z z z z 1 1 0 0 0 0 1 1 Binary Decision Diagrams • Acyclic graph data structure for representing a boolean function (equivalently, a set of bit vectors) • F(x,y,z) = (x=y)

  14. x y y x z y y x 0 0 y y 1 z z z z z 1 1 1 0 0 0 0 1 1 Hash Consing + Variable Elimination

  15. Path Edges • <e,p>  PE(p), iff • Exists initialized trajectory ending in <e,e>, where e = entry(Proc(p)) • Exists trajectory from <e,e> to <p,p> • PE(p) is a set of pairs of valuations to boolean variables in scope in Proc(p) • Can be represented with a BDD!

  16. Representing Path Edges with BDDs • Example PE(p) for boolean variables x,y and z: • PE(p) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y) • BDDs also used to represent transfer functions for statements • Transfer(z := x^y) = F(x,y,z,x’,y’,z’) = (x’=x)^(y’=y)^(z’=x^y)

  17. decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end 1 g'=0^h'=1 |g'=1^h'=0 g=g’=0^a1=a1’=0^a2=a2’=1 | g=g’=1^a1=a1’=1^a2=a2’=0 g=g’=0^a1=a1’=0^a2=a2’=1 g=0^g’=1^a1=a1’=0^a2=a2’=1 Join(S,T) = { <1,2> | <1,J>S, <J,2>T } void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end

  18. Summary Edges<1,2> = Lift(<d,r>,Pr) • 1(x) = 2(x), x in Locals(c) • Locals don’t change • 1(g) = d(g) and r(g) = 2(g), g global • Propagation of global state <1,2> c: Pr() d: Proc Pr() e r <d,r>

  19. decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end g=0^g’=1^h=h’=1 g=0^g’=1^h=h’=1 g=0^g’=1^a1=a1’=1^a2=a2’=0 g=0^g’=1^a1=a1’=0^a2=a2’=1 void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end

  20. decl g; void main() begin decl h; h := !g; A(g,h); skip; A(g,h); skip; if (g) then R: skip; fi end g'=0^h'=1 |g'=1^h'=0 1 g=0^g’=1^h=h’=1 g’=h’=1 g=g’=a1=a1’=a2=a2’=1 g=g’=a1=a1’=a2=a2’=1 void A(a1,a2) begin if (a1) then A(a2,a1); skip; else g := a2; fi end

  21. Worklist Algorithm • while PE(v) has changed, for some v • Determine if any new path edges can be generated • New path edge comes from • Existing path edge + transfer function • Existing path edge + summary edge (transfer function for procedure calls) • New summary edges generated from path edges that reach exit vertex

  22. Generating Error Traces • Partition reachable states into “rings” • A ring R at stmt S is numbered N iff there is a shortest trace of length N to S ending in a state in R • Hierarchical generation of error trace • Skip over or descend into called procedures

  23. Outline • Boolean Programs and Bebop • Semantics of Boolean Programs • Technical details of algorithm • Preliminary Evaluation • Linear behavior if # vars in scope remains constant • Self application of Bebop • Related Work

  24. void level<i>() begin decl a,b,c; if (g) then while(!a|!b|!c) do if (!a) then a := 1; elsif (!b) then a,b := 0,1; elsif (!c) then a,b,c := 0,0,1; else skip; fi od else <stmt>; <stmt>; fi g := !g; end decl g; voidmain() begin level1(); level1(); if(!g) then reach: skip; else skip; fi end

  25. Application: Analysis Validation • Live variable analysis (LVA) • A variable x is live at s if there is a path from s to a use of x (with no intervening def of x) • Used to optimize bebop • Quantify out variables as soon as they become dead • How to check correctness of LVA? • Analysis validation • Create a boolean program to check results of LVA • Model check boolean program (w/out LVA)

  26. Analysis Validation • Output of LVA: { (s,x) | x is dead at s } • Boolean program • Two variables per original program var x: • x_dead (initially 0) • x_defined (initially 0) • For each fact (s,x): • x_dead, x_defined := 1, 0; • For each def of x: • x_defined := 1; • For each use of x • if (x_dead && !x_defined) LVAError(); • Query: is LVAError reachable?

  27. Results • Found subtle error in implementation of LVA • Was able to show colleague that there was another error, in his code • Analysis validation now part of regression test suite

  28. Related Work • Pushdown Automata (PDA) decidability results • [Hopcroft-Ullman] • Model checking PDAs • [Bouajjani-Esparza-Maler] [Esparza-Hansel-Rossmanith-Schwoon] • Model checking Hierarchical State Machines • [Alur, Grosu] • Interprocedural dataflow analysis • [Sharir-Pnueli] [Steffen] [Knoop-Steffen] [Reps-Horwitz-Sagiv]

  29. Related Work • Reps-Horwitz-Sagiv (RHS) algorithm • Handles IFDS problems • Interprocedural • Finite domain D • Distributive dataflow functions (MOP=MFP) • Subsets of D • Dataflow as CFL reachability over “exploded graph” • Our results • RHS algorithm can be reformulated as a traditional dataflow algorithm over original control-flow graph with same time/space complexity • Reformulated algorithm is easily lifted to powersets of D using BDDs • Arbitrary dataflow functions • Path-sensitive

  30. Summary • Bebop: a model checker for boolean programs • Based on interprocedural dataflow analysis using BDDs • Exploits procedural abstraction • Admits many traditional compiler optimizations • Hierarchical trace generation + DHTML user interface • Release at end of year • SLAM project • Iteratively refine boolean program models of C programs • Use path simulation to discover relevant predicates (simcl) • Automated predicate abstraction (c2bp)

  31. Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/

More Related