symbolic execution as dpll modulo theories

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution as DPLL Modulo Theories

Q. Sang Phan

Queen Mary, University of London

September 25, 2014

1 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Outline

1 Introduction

2 Background

3 Symbolic Execution as DPLL(T )

4 A lightweight approach for Symbolic Execution

5 Conclusion

2 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Outline

1 Introduction

2 Background

3 Symbolic Execution as DPLL(T )

4 A lightweight approach for Symbolic Execution

5 Conclusion

3 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution

A program analysis technique that has several applications, in particularautomated test generation.

Executing programs with symbols instead of concrete inputs.

4 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution

Academic:

Imperial: KLEE

EPFL: S2E

UC Berkeley: CREST and BitBlaze

UIUC: Cute, jCute

. . .

Industry:

NASA: Symbolic PathFinder

Microsoft: Pex, Sage, Yogi

IBM: Apollo

. . .5 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Satisfiability Modulo Theories

Decision problem for logical formulas over one or more first-order theories

ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))

Tools:

Microsoft: Z3

NYU: CVC3

SRI: Yices

. . .

SMT competition: http://www.smtcomp.org/

6 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Satisfiability Modulo Theories

Decision problem for logical formulas over one or more first-order theories

ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))

Tools:

Microsoft: Z3

NYU: CVC3

SRI: Yices

. . .

SMT competition: http://www.smtcomp.org/6 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution as an SMT solver

Symbolic Execution can be viewed as an SMT solver

7 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Outline

1 Introduction

2 Background

3 Symbolic Execution as DPLL(T )

4 A lightweight approach for Symbolic Execution

5 Conclusion

8 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

DPLL Modulo Theories

The lazy approach for SMT

SMT solver = SAT solver + T -solverSAT solver: implement DPLL algorithm

T -solver: check satisfiability of conjunctions of literals

DPLL-based SAT solver: a depth-first search procedure, using three main operations:

decide: choose a literal l from the formula.

propagate: remove all the clauses containing l , and deletes all occurrences of ¬lin the formula.

backtrack: if encounter a conflict.

9 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

DPLL Modulo Theories

The lazy approach for SMT

SMT solver = SAT solver + T -solverSAT solver: implement DPLL algorithm

T -solver: check satisfiability of conjunctions of literals

DPLL-based SAT solver: a depth-first search procedure, using three main operations:

decide: choose a literal l from the formula.

propagate: remove all the clauses containing l , and deletes all occurrences of ¬lin the formula.

backtrack: if encounter a conflict.

9 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Boolean Abstraction

ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))

(x0 > 5), (x1 = x0 + 1), . . . : T -atomsT1,T2, . . . : Boolean atoms

Boolean abstraction of ϕ:

ϕP ≡ (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)

10 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Boolean Abstraction

ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))

(x0 > 5), (x1 = x0 + 1), . . . : T -atomsT1,T2, . . . : Boolean atoms

Boolean abstraction of ϕ:

ϕP ≡ (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)

10 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

DPLL-based SAT solver

ϕP ≡ (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)

0. µP = True ϕP

1. µP = G1 ϕP = (¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧ (G2 ∨ T4) ∧ (G2 ∨ A3)

2. µP = G1 ∧ G2 ϕP = True ; T -solver(µ) = Inconsistent

3. µP = G1 ϕP = (¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧ (G2 ∨ T4) ∧ (G2 ∨ A3)

4. µP = G1 ∧ ¬G2 ϕP = True ; T -solver(µ) = Consistent

11 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution

pc ` c : execute the then path

pc ` ¬c : execute the else path

(pc 0 c) ∧ (pc 0 ¬c): execute both paths

then path: update pc1 = pc ∧ celse path: update pc2 = pc ∧ ¬c

Use SMT solver to check satisfiability of pathconditions

Observation

SMT solver is used to solve conjunctions of literals ⇒ the SAT solver is not used

12 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution

pc ` c : execute the then path

pc ` ¬c : execute the else path

(pc 0 c) ∧ (pc 0 ¬c): execute both paths

then path: update pc1 = pc ∧ celse path: update pc2 = pc ∧ ¬c

Use SMT solver to check satisfiability of pathconditions

Observation

SMT solver is used to solve conjunctions of literals ⇒ the SAT solver is not used

12 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Implementation of Symbolic Execution

Symbolic Executor = Boolean Executor + T -solver

Boolean Executor: A depth-first search procedure, using three main operations:

decide: choose a literal from the condition.

update: execute block of code on that path.

backtrack: if reach the leaf of the symbolic execution tree.

13 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Outline

1 Introduction

2 Background

3 Symbolic Execution as DPLL(T )

4 A lightweight approach for Symbolic Execution

5 Conclusion

14 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Transition System

A bounded Static Single Assignment program:

P ≡ (S , I ,G ,A,T )

S : the set of symbolic states

I ⊆ S : the set of initial symbolic states

G : the set of guards

A : the set of action

Actions do not update computer memory: presented by Boolean atoms.Actions update computer memory: presented by T -atoms.

T ⊆ S × G × A× S : the transition function

15 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Program to formula

tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij

Encode the transition into a formula:

tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij

A program trace:

t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)

Program semantics: all possible traces

ϕ =∧tij∈T

tij =∧tij∈T

(¬gij ∨ aij)

16 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Program to formula

tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij

Encode the transition into a formula:

tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij

A program trace:

t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)

Program semantics: all possible traces

ϕ =∧tij∈T

tij =∧tij∈T

(¬gij ∨ aij)

16 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Program to formula

tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij

Encode the transition into a formula:

tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij

A program trace:

t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)

Program semantics: all possible traces

ϕ =∧tij∈T

tij =∧tij∈T

(¬gij ∨ aij)

16 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Program to formula

tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij

Encode the transition into a formula:

tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij

A program trace:

t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)

Program semantics: all possible traces

ϕ =∧tij∈T

tij =∧tij∈T

(¬gij ∨ aij)

16 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Transition System: Example

void test(int x, int y){

if(x > 5){

x++;

if (x < 3)

x--;

else

y = x + 1;

}

}

s0

s1 s2

s3

s4 s5

s6 s7

x0 > 5T1

¬(x0 > 5)T2

x0 > 5x1 = x0 + 1

x1 < 3T3

¬(x1 < 3)T4

x1 < 3 ¬(x1 < 3)y1 = x1 + 1x2 = x1 − 1

ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))

17 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Transition System: Example

void test(int x, int y){

if(x > 5){

x++;

if (x < 3)

x--;

else

y = x + 1;

}

}

s0

s1 s2

s3

s4 s5

s6 s7

x0 > 5T1

¬(x0 > 5)T2

x0 > 5x1 = x0 + 1

x1 < 3T3

¬(x1 < 3)T4

x1 < 3 ¬(x1 < 3)y1 = x1 + 1x2 = x1 − 1

ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))

17 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution vs SMT solver

Symbolic Execution

Symbolic Executor = Boolean Executor + T -solver

Boolean Executor: a depth-first search procedure, using three main operations:decide, update, backtrack

SMT solver

SMT solver = SAT solver + T -solver

DPLL-based SAT solver: a depth-first search procedure, using three main operations:decide, propagate, backtrack

18 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Outline

1 Introduction

2 Background

3 Symbolic Execution as DPLL(T )

4 A lightweight approach for Symbolic Execution

5 Conclusion

19 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution vs SMT solver

Symbolic Execution returns all symbolic path.

SMT solvers return only one model.

→ Use an SMT solver that can return all models for Symbolic Execution→ The only SMT solver known to generate all models: MathSAT

20 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution via All-SMT

ϕP := (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)

1 (assert (= (> x0 5) G1)) 8 (assert (or (not G1) A1))2 (assert (= (< x1 3) G2)) 9 (assert (or (not G2) T3))3 (assert (= (= x1 (+ x0 1)) A1)) 10 (assert (or (not G2) A2))4 (assert (= (= x2 (− x1 1)) A2)) 11 (assert (or G2 T4))5 (assert (= (= y1 (+ x1 1)) A2)) 12 (assert (or G2 A3))6 (assert (or (not G1) T1)) 13 (check-allsat (G1 G2))7 (assert (or G1 T2))

21 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Symbolic Execution via All-SMT

(G1 G2): (True,False), (False,True) and (False,False)

s0

s1 s2

s3

s4 s5

s6 s7

x0 > 5T1

¬(x0 > 5)T2

x0 > 5x1 = x0 + 1

x1 < 3T3

¬(x1 < 3)T4

x1 < 3 ¬(x1 < 3)y1 = x1 + 1x2 = x1 − 1

22 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Outline

1 Introduction

2 Background

3 Symbolic Execution as DPLL(T )

4 A lightweight approach for Symbolic Execution

5 Conclusion

23 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

Conclusion

Symbolic Execution can be viewed as an SMT solver

Exploit techniques developed for Symbolic Execution to SMT.Exploit techniques developed for SMT for Symbolic Execution.

A lightweight approach for Symbolic Execution based on All-SMT solver

24 / 25

IntroductionBackground

Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution

Conclusion

THANK YOU FOR YOUR ATTENTION!

25 / 25