Download - Symbolic Execution as DPLL Modulo Theories
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution as DPLL Modulo Theories
Q. Sang Phan
Queen Mary, University of London
September 25, 2014
1 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Outline
1 Introduction
2 Background
3 Symbolic Execution as DPLL(T )
4 A lightweight approach for Symbolic Execution
5 Conclusion
2 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Outline
1 Introduction
2 Background
3 Symbolic Execution as DPLL(T )
4 A lightweight approach for Symbolic Execution
5 Conclusion
3 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution
A program analysis technique that has several applications, in particularautomated test generation.
Executing programs with symbols instead of concrete inputs.
4 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution
Academic:
Imperial: KLEE
EPFL: S2E
UC Berkeley: CREST and BitBlaze
UIUC: Cute, jCute
. . .
Industry:
NASA: Symbolic PathFinder
Microsoft: Pex, Sage, Yogi
IBM: Apollo
. . .5 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Satisfiability Modulo Theories
Decision problem for logical formulas over one or more first-order theories
ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))
Tools:
Microsoft: Z3
NYU: CVC3
SRI: Yices
. . .
SMT competition: http://www.smtcomp.org/
6 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Satisfiability Modulo Theories
Decision problem for logical formulas over one or more first-order theories
ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))
Tools:
Microsoft: Z3
NYU: CVC3
SRI: Yices
. . .
SMT competition: http://www.smtcomp.org/6 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution as an SMT solver
Symbolic Execution can be viewed as an SMT solver
7 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Outline
1 Introduction
2 Background
3 Symbolic Execution as DPLL(T )
4 A lightweight approach for Symbolic Execution
5 Conclusion
8 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
DPLL Modulo Theories
The lazy approach for SMT
SMT solver = SAT solver + T -solverSAT solver: implement DPLL algorithm
T -solver: check satisfiability of conjunctions of literals
DPLL-based SAT solver: a depth-first search procedure, using three main operations:
decide: choose a literal l from the formula.
propagate: remove all the clauses containing l , and deletes all occurrences of ¬lin the formula.
backtrack: if encounter a conflict.
9 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
DPLL Modulo Theories
The lazy approach for SMT
SMT solver = SAT solver + T -solverSAT solver: implement DPLL algorithm
T -solver: check satisfiability of conjunctions of literals
DPLL-based SAT solver: a depth-first search procedure, using three main operations:
decide: choose a literal l from the formula.
propagate: remove all the clauses containing l , and deletes all occurrences of ¬lin the formula.
backtrack: if encounter a conflict.
9 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Boolean Abstraction
ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))
(x0 > 5), (x1 = x0 + 1), . . . : T -atomsT1,T2, . . . : Boolean atoms
Boolean abstraction of ϕ:
ϕP ≡ (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)
10 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Boolean Abstraction
ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))
(x0 > 5), (x1 = x0 + 1), . . . : T -atomsT1,T2, . . . : Boolean atoms
Boolean abstraction of ϕ:
ϕP ≡ (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)
10 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
DPLL-based SAT solver
ϕP ≡ (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)
0. µP = True ϕP
1. µP = G1 ϕP = (¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧ (G2 ∨ T4) ∧ (G2 ∨ A3)
2. µP = G1 ∧ G2 ϕP = True ; T -solver(µ) = Inconsistent
3. µP = G1 ϕP = (¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧ (G2 ∨ T4) ∧ (G2 ∨ A3)
4. µP = G1 ∧ ¬G2 ϕP = True ; T -solver(µ) = Consistent
11 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution
pc ` c : execute the then path
pc ` ¬c : execute the else path
(pc 0 c) ∧ (pc 0 ¬c): execute both paths
then path: update pc1 = pc ∧ celse path: update pc2 = pc ∧ ¬c
Use SMT solver to check satisfiability of pathconditions
Observation
SMT solver is used to solve conjunctions of literals ⇒ the SAT solver is not used
12 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution
pc ` c : execute the then path
pc ` ¬c : execute the else path
(pc 0 c) ∧ (pc 0 ¬c): execute both paths
then path: update pc1 = pc ∧ celse path: update pc2 = pc ∧ ¬c
Use SMT solver to check satisfiability of pathconditions
Observation
SMT solver is used to solve conjunctions of literals ⇒ the SAT solver is not used
12 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Implementation of Symbolic Execution
Symbolic Executor = Boolean Executor + T -solver
Boolean Executor: A depth-first search procedure, using three main operations:
decide: choose a literal from the condition.
update: execute block of code on that path.
backtrack: if reach the leaf of the symbolic execution tree.
13 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Outline
1 Introduction
2 Background
3 Symbolic Execution as DPLL(T )
4 A lightweight approach for Symbolic Execution
5 Conclusion
14 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Transition System
A bounded Static Single Assignment program:
P ≡ (S , I ,G ,A,T )
S : the set of symbolic states
I ⊆ S : the set of initial symbolic states
G : the set of guards
A : the set of action
Actions do not update computer memory: presented by Boolean atoms.Actions update computer memory: presented by T -atoms.
T ⊆ S × G × A× S : the transition function
15 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Program to formula
tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij
Encode the transition into a formula:
tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij
A program trace:
t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)
Program semantics: all possible traces
ϕ =∧tij∈T
tij =∧tij∈T
(¬gij ∨ aij)
16 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Program to formula
tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij
Encode the transition into a formula:
tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij
A program trace:
t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)
Program semantics: all possible traces
ϕ =∧tij∈T
tij =∧tij∈T
(¬gij ∨ aij)
16 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Program to formula
tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij
Encode the transition into a formula:
tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij
A program trace:
t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)
Program semantics: all possible traces
ϕ =∧tij∈T
tij =∧tij∈T
(¬gij ∨ aij)
16 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Program to formula
tij = 〈si , gij , aij , sj〉 ∈ T : si → sj by action aij under guard gij
Encode the transition into a formula:
tij ≡ gij → aij or equally tij ≡ ¬gij ∨ aij
A program trace:
t01 ∧ t12 ∧ · · · ∧ t(k−1)k = (¬g01 ∨ a01) ∧ (¬g12 ∨ a12) · · · ∧ (¬g(k−1)k ∨ a(k−1)k)
Program semantics: all possible traces
ϕ =∧tij∈T
tij =∧tij∈T
(¬gij ∨ aij)
16 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Transition System: Example
void test(int x, int y){
if(x > 5){
x++;
if (x < 3)
x--;
else
y = x + 1;
}
}
s0
s1 s2
s3
s4 s5
s6 s7
x0 > 5T1
¬(x0 > 5)T2
x0 > 5x1 = x0 + 1
x1 < 3T3
¬(x1 < 3)T4
x1 < 3 ¬(x1 < 3)y1 = x1 + 1x2 = x1 − 1
ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))
17 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Transition System: Example
void test(int x, int y){
if(x > 5){
x++;
if (x < 3)
x--;
else
y = x + 1;
}
}
s0
s1 s2
s3
s4 s5
s6 s7
x0 > 5T1
¬(x0 > 5)T2
x0 > 5x1 = x0 + 1
x1 < 3T3
¬(x1 < 3)T4
x1 < 3 ¬(x1 < 3)y1 = x1 + 1x2 = x1 − 1
ϕ ≡ (¬(x0 > 5) ∨ T1) ∧ ((x0 > 5) ∨ T2) ∧ (¬(x0 > 5) ∨ (x1 = x0 + 1)) ∧(¬(x1 < 3) ∨ T3) ∧ (¬(x1 < 3) ∨ (x2 = x1 − 1)) ∧((x1 < 3) ∨ T4) ∧ ((x1 < 3) ∨ (y1 = x1 + 1))
17 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution vs SMT solver
Symbolic Execution
Symbolic Executor = Boolean Executor + T -solver
Boolean Executor: a depth-first search procedure, using three main operations:decide, update, backtrack
SMT solver
SMT solver = SAT solver + T -solver
DPLL-based SAT solver: a depth-first search procedure, using three main operations:decide, propagate, backtrack
18 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Outline
1 Introduction
2 Background
3 Symbolic Execution as DPLL(T )
4 A lightweight approach for Symbolic Execution
5 Conclusion
19 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution vs SMT solver
Symbolic Execution returns all symbolic path.
SMT solvers return only one model.
→ Use an SMT solver that can return all models for Symbolic Execution→ The only SMT solver known to generate all models: MathSAT
20 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution via All-SMT
ϕP := (¬G1 ∨ T1) ∧ (G1 ∨ T2) ∧ (¬G1 ∨ A1) ∧(¬G2 ∨ T3) ∧ (¬G2 ∨ A2) ∧(G2 ∨ T4) ∧ (G2 ∨ A3)
1 (assert (= (> x0 5) G1)) 8 (assert (or (not G1) A1))2 (assert (= (< x1 3) G2)) 9 (assert (or (not G2) T3))3 (assert (= (= x1 (+ x0 1)) A1)) 10 (assert (or (not G2) A2))4 (assert (= (= x2 (− x1 1)) A2)) 11 (assert (or G2 T4))5 (assert (= (= y1 (+ x1 1)) A2)) 12 (assert (or G2 A3))6 (assert (or (not G1) T1)) 13 (check-allsat (G1 G2))7 (assert (or G1 T2))
21 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Symbolic Execution via All-SMT
(G1 G2): (True,False), (False,True) and (False,False)
s0
s1 s2
s3
s4 s5
s6 s7
x0 > 5T1
¬(x0 > 5)T2
x0 > 5x1 = x0 + 1
x1 < 3T3
¬(x1 < 3)T4
x1 < 3 ¬(x1 < 3)y1 = x1 + 1x2 = x1 − 1
22 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Outline
1 Introduction
2 Background
3 Symbolic Execution as DPLL(T )
4 A lightweight approach for Symbolic Execution
5 Conclusion
23 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
Conclusion
Symbolic Execution can be viewed as an SMT solver
Exploit techniques developed for Symbolic Execution to SMT.Exploit techniques developed for SMT for Symbolic Execution.
A lightweight approach for Symbolic Execution based on All-SMT solver
24 / 25
IntroductionBackground
Symbolic Execution as DPLL(T )A lightweight approach for Symbolic Execution
Conclusion
THANK YOU FOR YOUR ATTENTION!
25 / 25