symbolic execution - summer school marktoberdorf · l path-based symbolic simulation ... ûnot...
TRANSCRIPT
Daniel Kroening, Marktoberdorf 2017
Overview
l SAT/SMT:enablingtechnologyl Over- vs.underapproximating staticanalysisl Path-basedsymbolicsimulationl Pathmerging
Daniel Kroening, Marktoberdorf 2017
EnablingTechnology:SAT/SMT
0
200
400
600
800
1000
1200
0 20 40 60 80 100 120 140 160 180
CPU T
ime (
in s
eco
nds)
Number of problems solved
Results of the SAT competition/race winners on the SAT 2009 application benchmarks, 20mn timeout
200220032004200520062007200820092010201120122013
Daniel Kroening, Marktoberdorf 2017
PropositionalSAT
• SATsolversacceptpropositionallogicintheformofCNFasinput
• Minisat,Picosat,andmanyothers• GenerallygoodideaforNP-hardproblems• Providesatisfyingassignment
• Also:incrementalsolvingandconflictvariables
Daniel Kroening, Marktoberdorf 2017
Conflict-drivenClauseLearning
2.2 SAT Solvers 33
✄
✂
#
✁
Algorithm 2.2.1: CDCL-SAT
Input: A propositional CNF formula B
Output: “Satisfiable” if the formula is satisfiable and “Unsatisfiable”otherwise
1. function CDCL
2. while (true) do3. while (BCP() = “conflict”) do4. backtrack-level := Analyze-Conflict();5. if backtrack-level < 0 then return “Unsatisfiable”;6. BackTrack(backtrack-level);7. if ¬Decide() then return “Satisfiable”;
SAT
UNSAT
bl ≥ 0
BackTrack
Analyze-
ConflictBCP
bl < 0
all assigned
α
αDecide
conflict
Fig. 2.5. CDCL-SAT: high-level overview of the Conflict-Driven Clause-Learningalgorithm. The variable bl is the backtracking level, i.e., the decision level to whichthe procedure backtracks. α is an assignment (either partial or full)
at which it occurred. If a variable xi is assigned 1 (true) (owing to eithera decision or an implication) at decision level dl, we write xi@dl. Similarly,
✄
✂
#
✁xi@dl
¬xi@dl reflects an assignment of 0 (false) to this variable at decision leveldl. Where appropriate, we refer only to the truth assignment, omitting thedecision level, in order to make the notation simpler.
The process of BCP is best illustrated with an implication graph. Animplication graph represents the current partial assignment and the reasonfor each of the implications.
Definition 2.6 (implication graph). An implication graph is a labeled di-rected acyclic graph G(V,E), where:
Daniel Kroening, Marktoberdorf 2017
SMT
• “SatisfiabilityModuloTheories”• Thisisafileformat(andAPI)forspecifyingformulastakenfromspecifictheories
• Uninterpreted functions• Rational/integerlineararithmetic• Arrays• Bit-vectors
Daniel Kroening, Marktoberdorf 2017
DPLL(T)
• UsespropositionalSATsolverascentralcomponent
• Tightintegrationwiththeorysolvers• Z3,CVC,Boolector,MathSAT
• Bjørner willteachthisnextweek
Daniel Kroening, Marktoberdorf 2017
DPLL(T)68 3 From Propositional to Quantifier-Free Theories
Analyze-Conflict UNSAT
Deduction AddClauses
α
t e(t)
Decide SAT
propagationTheory
BackTrack
T̂ h(α)
bl ≥ 0
bl < 0
all assigned
/ conflict
Nothingto
propagate,noconflict
α
α
BCPconflict
Fig. 3.3. The main components of DPLL(T ). Theory propagation is implementedin Deduction
theory T . Accordingly, this technique is known by the name theory propa-gation.
What are the requirements on these new clauses? As before, they have tobe implied by ϕ and are restricted to a finite set of atoms—typically to ϕ’satoms. It is desirable that, when T̂ h(α) is unsatisfiable, e(t) blocks α; it is notmandatory, because whether it blocks α or not does not affect correctness—Deduction only needs to be complete when α is a full assignment. CertainSMT solvers exploit this fact to perform cheap checks on partial assignments,e.g., bound the time dedicated to them. What if T̂ h(α) is satisfiable? Thenwe require t to fulfill one of the following two conditions in order to guaranteetermination:
1. The clause e(t) is an asserting clause under α (asserting clauses are definedin Sect. 2.2.3). This implies that the addition of e(t) to B and a call toBCP leads to an assignment to the encoder of some literal.
2. When Deduction cannot find an asserting clause t as defined above, tand e(t) are equivalent to true.
The second case occurs, for example, when all the Boolean variables are al-ready assigned, and thus the formula is found to be satisfiable. In this case,the condition in line 11 is met and the procedure continues from line 13, whereDecide is called again. Since all variables are already assigned, the procedurereturns “Satisfiable”.
Example 3.3. Consider once again the example of the two encoders e(x1 ≥10) and e(x1 < 0). After the first of these has been set to true, the procedure
Daniel Kroening, Marktoberdorf 2017
Bit-VectorFlattening
• C/C++andJavausesemanticswithmodulararithmetic(i.e.,wrap-around)
• IntheSMTcontext:SMT-BV• Canbesolvedeffectivelywithflattening
Daniel Kroening, Marktoberdorf 2017
Bit-VectorFlattening
• Thisisstraightforwardfor– Equality– Bit-wiseoperators(&,|,^)
• TransformationintoCNFisdoneusingTseitin’s encoding
Daniel Kroening, Marktoberdorf 2017
FlatteningArithmeticFlattening Bit-Vector Arithmetic
How to flatten a+ b?
�! we can build a circuit that adds them!
FA
iba
so
Full Adder
s ⌘ (a+ b+ i ) mod 2 ⌘ a� b� i
o ⌘ (a+ b+ i ) div 2 ⌘ a · b+ a · i+ b · i
The full adder in CNF:
(a _ b _ ¬o) ^ (a _ ¬b _ i _ ¬o) ^ (a _ ¬b _ ¬i _ o)^(¬a _ b _ i _ ¬o) ^ (¬a _ b _ ¬i _ o) ^ (¬a _ ¬b _ o)
D. Kroening: Software Verification 28
Daniel Kroening, Marktoberdorf 2017
FlatteningArithmeticFlattening Bit-Vector Arithmetic
Ok, this is good for one bit! How about more?
8-Bit ripple carry adder (RCA)
i
FA FA FA FA FA FA FA FA
a
7
b
7
a
6
b
6
a
5
b
5
a
4
b
4
a
3
b
3
a
2
b
2
a
1
b
1
a
0
b
0
o
s
7
s
6
s
5
s
4
s
3
s
2
s
1
s
0
I Also called carry chain adderI Adds l variablesI Adds 6 · l clauses
D. Kroening: Software Verification 29
Daniel Kroening, Marktoberdorf 2017
IncrementalFlattening
• Idea:add“easy”partsoftheformulafirst• Onlyaddhardpartswhenneeded• CNFonlygetsstronger– useanincrementalSATsolver
Daniel Kroening, Marktoberdorf 2017
IncrementalFlatteningIncremental Flattening
?'f := 'sk , F := ;
?Is 'f SAT?
?No!
UNSAT
-Yes! compute I
?I = ;
SAT
6I 6= ;
Pick F
0 ✓ (I \ F )
F := F [ F
0
'f := 'f ^ CONSTRAINT(F )
�
'sk : Boolean part of 'F : set of terms that are in the encodingI: set of terms that are inconsistent with the current assignment
D. Kroening: Software Verification 31
Daniel Kroening, Marktoberdorf 2017
MoreReadingonSAT/SMT
• Bookondecisionprocedures(happytoemailPDFs)
• Armin’sHandbookonSAT
Daniel Kroening, Marktoberdorf 2017
StaticAnalysis
l Gaininformationabouttheprogramwithoutrunning it
l Notestinputsneededl Betterhandleonnon-determinism,i.e.,thread-scheduleandinputdata
Daniel Kroening, Marktoberdorf 2017
ApproximatingStaticAnalysis
l Theprecisebehaviourofprogramsisincrediblycomplex
l Staticanalysesthusapproximateprogrambehaviours
l Mostaimtoover-approximate
Daniel Kroening, Marktoberdorf 2017
Over-ApproximatingStaticAnalysis
float A1[3] = { 1, 0.5179422053046, 1.0 };float b1[2] = { 1.470767736573, 0.5522073405779 };float A2[3] = { 1, 1.633101801841, 1.0 };float b2[2] = { 1.742319554830, 0.820939679242 };float D1[2], D2[2];float P, X;
void iir4(float *x, float *y) { float x1, y1, t1, t2;X1 = 0.0117749388721091 * *x;t1 = x1 + b1[0]*D1[0] - b1[1]*D1[1];y1 = A1[0]*t1 - A1[1]*D1[0] + A1[2]*D1[1];D1[1] = D1[0]; D1[0] = t1;t2 = y1 + b2[0]*D2[0] - b2[1]*D2[1];*y = A2[0]*t2 - A2[1]*D2[0] + A2[2]*D2[1];D2[1] = D2[0]; D2[0] = t2;
}
int main () {while (1) { X = input(); iir4(&X,&P); }
}
[ESOP 2005]
Daniel Kroening, Marktoberdorf 2017
Over-ApproximatingStaticAnalysis
Keybenefit:üwhendoneright,onecanproveabsenceofcertainbugs
[ESOP 2005]
Daniel Kroening, Marktoberdorf 2017
Over-ApproximatingStaticAnalysis
Keyproblems:ûApproximationisoftenhard-wiredto• particularkindsofbugsand• programconstructs
ûNothelpfulfor“novel”bugsornewwaysofdoingthings
ûFalsealarms!
Daniel Kroening, Marktoberdorf 2017
[PLDI 2012]
const char * read_response(const char *prompt, int flags){
char *askpass = NULL, *ret = NULL, buf[1024];
int rppflags, use_askpass = 0, ttyfd;
rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;if (flags & RP_USE_ASKPASS)
use_askpass = 1;else if (flags & RP_ALLOW_STDIN) {
if (!isatty(STDIN_FILENO)) {debug("read_response: stdin is not a tty");use_askpass = 1;
}} else {
rppflags |= RPP_REQUIRE_TTY;ttyfd = open(_PATH_TTY);if (ttyfd >= 0)
close(ttyfd);else {
debug("read_response: can't open %s: %s", _PATH_TTY,strerror(errno));use_askpass = 1;
}}
if ((flags & RP_USE_ASKPASS) || !(ret = getenv("DISPLAY")))goto end;
if (use_askpass && getenv("DISPLAY")) {if (getenv(SSH_ASKPASS_ENV))
askpass = getenv(SSH_ASKPASS_ENV);else
askpass = _PATH_SSH_ASKPASS_DEFAULT;if ((ret = ssh_askpass(askpass, prompt)) == NULL)
if (!(flags & RP_ALLOW_EOF))return xstrdup("");
goto end;}
ret = xstrdup(buf);memset(buf, 'x', sizeof buf);end:return ret;
}