system analysis & symbolic execution (celeste,caberio,arboleda)

7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)

1/21

STATIC ANALYSIS

&

SYMBOLIC EXECUTION


2/21

STATIC ANALYSIS

> is the analysis of source code without execution

> is usually conducted by looking for error

signatures or patterns that have cause problems

in earlier programs.

Static program analysis is the analysis of

computer software that is performed without

actually executing programs built from thatsoftware (analysis performed on executing

programs is known as dynamic analysis).


3/21

Static program analysis

The term is usually applied to the analysis

performed by an automated tool, with human

analysis being called program understanding,

program comprehension or code review.


4/21


5/21

Some of the implementation

techniques of formal static

analysis include: Model checking considers systems that have

finite state or may be reduced to finite state by

abstraction; Data-flow analysis is a lattice-based technique for

gathering information about the possible set ofvalues;

Abstract interpretation models the effect thatevery statement has on the state of an abstractmachine (i.e., it 'executes' the software based on themathematical properties of each statement anddeclaration).


6/21

Use of assertions in program code asfirst suggested by Hoare logic. There is tool

support for some programming languages

(e.g., the SPARK programming language (a

subset of Ada) and the Java Modeling

Language JML using ESC/Java and

ESC/Java2, ANSI/ISO C Specification

Language for the C language).


7/21


8/21

In the area of static analyses we continuouslyassign project-, seminar-, Bachelor- and

Mastertheses. If none of the open topics suits

your particular interests then just come to our

offices or write me an email (Michael

Eichberg), we may find a topic in which we are

both interested.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


9/21

Symbolic Execution


10/21

Figure 1 the path condition (PC) is

initially true. If the program takes

the if statement's then branch, the path

condition will be X


11/21

This JPF extension performs symbolic

execution of Java programs. One of the

main applications is automated generation

of test inputs that obtain high coverage

(e.g. path coverage) of code. Otherapplications include error detection in

concurrent programs that take inputs from

unbounded domains and lightweighttheorem proving.


12/21


13/21

Symbolic execution, sometimes referred to as

symbolic evaluation, does not execute a

program in the traditional sense of the word,

The notion of execution requires that a

selection of paths through the program are

exercised by a set of data values. A programwhich is executed using actual data results in

the output of a series of values. In symbolic

execution the data is replaced by symbolicvalues. A set of expressions, one expression

per output variable, is produced.


14/21

The most common approach to symbolic

execution is to perform an analysis of the

program, resulting in the creationof a flow graph.


15/21

Difficulties facing symbolic execution

There are four areas which give rise toconsiderable difficulty

for symbolic execution: the evaluation of

loops; a dilemma over how to process modulecalls (calls to functions, procedures,subroutines and subprograms) ; theevaluation of array references dependent oninput values; and checking the feasibility ofpaths.


16/21

The first problem concerns loops.

Symbolic execution cannot proceed beyond aloop unless the number of iterations is known.

When the number of iterations is dependent

upon the input variables, determining thenumber of iterations requires the solution of

recurrence relations. Such a solution, if

derivable, is likely to yield a symbolic

expression as opposed to an actual value.


17/21

The second problem involves module calls. The term

module call is used here to refer to the invocation ofany

out-of-line code. This includes subprograms that arecompiled

separately from the invoking program, internalsubroutines,

procedures and functions. The dilemma concerning

module calls is whether to treat them using the

macroexpansion approach or the lemma approach


18/21

Test data generation:

The symbolic input values in the expressions produced

for each output variable can be substituted with actual

values. The values substituted constitute a test case and the

evaluation of the expression provides the correspondingoutput value. The creation of such values may be automated

by using a numerical optimiSer. The PC is used as a set

of constraints and the solution to an arbitrary objective

function is used as a test case. This method of automatically

generating comprehensive test data is likely to yield a

smaller test set than other approaches, such as random

testing.


19/21

Partition analysis :

Partition analysis is another technique that

makes use ofthe output from symbolic

execution to determine test data. It uses

symbolic execution to identify sub-domains

of the input data domain


20/21

Program reduction :

King describes how symbolic execution can be used to

achieve program reduction . This is the act of

taking a program and producing another program containing

fewer statements. The result is a simpler program consistent

with the original, but operating over a smallerdomain . This is useful when re-using software

where only a sub-set of the cases handled are required. A

major step forward will have taken place in softwareengineering

when the re-use of software is normal practice.

Program reduction is a step towards this goal.


21/21

system analysis & symbolic execution (celeste,caberio,arboleda)

Documents