Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionDealing with constraints in symbolic executio...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 O...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 O...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraints in Symbolic ExecutionConstraints ...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolversDepending on code, different kinds solv...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 O...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenc...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenc...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenc...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingMultiple quer...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint So...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint So...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint So...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint So...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionIncremental solvingIncremental solvingIn quer...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionIncremental solvingEmpirical resultsFigure: P...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 O...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionMotivationMotivationStill many unsolvable pat...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionMotivationMetaheuristicsRandom initial soluti...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORALxtan(y)+ z < x ∗ arctan(z) ∧sin(y) ...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORALFocus on floating point computationS...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORAL: Stepwise Adaptive WeightingSoluti...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORAL: Stepwise Adaptive WeightingSoluti...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 O...
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConclusionConstraint solving dominates runtim...
Upcoming SlideShare
Loading in …5
×

Dealing with complex constraints in symbolic execution

114
-1

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
114
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dealing with complex constraints in symbolic execution

  1. 1. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionDealing with constraints in symbolic executionBernhard MallingerProgramming Languages Seminar SS13TU WienJune 11th, 2013Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  2. 2. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  3. 3. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  4. 4. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraints in Symbolic ExecutionConstraints on variables are collected by analysing code:1 i f (preproc) {2 i f (extensive_preproc) {3 // extensive preprocessing4 }5 }extensive preprocessing-block is reached iffPC ∧ preproc ∧ extensive_preproc is satisfiable⇒ Unreachability test⇒ Test case generatorBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  5. 5. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolversDepending on code, different kinds solvers are efficientLinear arithmeticComplex functionsGeneral, unstructured constraints. . .Tremendous speedup in recent years (SAT)Especially continuous functions still not solvableConstraint solving dominates runtimeBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  6. 6. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  7. 7. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenceIn the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postprocVariables related if appear in same constraint⇒ Reachability problemBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  8. 8. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenceIn the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postprocVariables related if appear in same constraint⇒ Reachability problemBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  9. 9. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenceIn the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postprocVariables related if appear in same constraint⇒ Reachability problemBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  10. 10. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingMultiple queries contain same independent groups ofconstraints ⇒ simply cache resultsMore elaborate: exploit repetitions in path conditions:1 i f (preproc) {2 i f (extensive_preproc) {3 // do extensive preprocessing4 }5 }PC ∧ preprocPC ∧ preproc ∧ extensive_preprocBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  11. 11. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  12. 12. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  13. 13. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  14. 14. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  15. 15. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionIncremental solvingIncremental solvingIn queries generated in symbolic execution, often only the lastpredicates differ1 i f (postproc) {2 i f (fancy_output) {3 // print fancy statistics4 }5 }PC ∧ postprocPC ∧ postproc ∧ fancy_outputDetermine set of variables which are dependent of variables inlast predicate, solve them and else reuse old solutionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  16. 16. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionIncremental solvingEmpirical resultsFigure: Performance with and without the solution cache and constraintindependence optimisation in KLEE. Source: Cadar et al., 2008Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  17. 17. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  18. 18. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionMotivationMotivationStill many unsolvable path conditionsCan’t search exhaustively, so guess smartly, improve guessesReasonable way of “thinking”?Reinterpret decision problem as optimisation problemMinimise violationsNew precondition: Locality in solution spaceWorks for all domains, given localityBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  19. 19. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionMotivationMetaheuristicsRandom initial solutions probably contain viable fragmentsOptimise given invalid solutions by local searchCombine promising solutionsSteer towards regions of high objective valueBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  20. 20. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORALxtan(y)+ z < x ∗ arctan(z) ∧sin(y) + cos(y) + tan(y) ≥ x − z ∧arctan(x) + arctan(y) > yBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  21. 21. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORALFocus on floating point computationSolves constraints by particle swarm optimisation (populationbased metaheuristic)Generates initial solutions randomly in range determined byinterval solver“Solves all constraints that exact solvers manage and more”Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  22. 22. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORAL: Stepwise Adaptive WeightingSolutions with even minimal constraint violations are stillinfeasibleAvoiding local optima is criticalStepwise Adaptive Weighting (SAW)Change objective function dynamically during runtimeReward solutions that satisfy hard-to-solve constraintsBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  23. 23. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORAL: Stepwise Adaptive WeightingSolutions with even minimal constraint violations are stillinfeasibleAvoiding local optima is criticalStepwise Adaptive Weighting (SAW)Change objective function dynamically during runtimeReward solutions that satisfy hard-to-solve constraintsBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  24. 24. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
  25. 25. Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConclusionConstraint solving dominates runtime of symbolic executionUnsolvable constraints severely hinder symbolic executionSome optimisations:Constraint independenceSolution cachingIncremental solvingHarder constraints can/have to be solved (meta-)heuristicallyNavigate reasonably, not exhaustively through search spaceTry to goal-orientedly optimise infeasible solutionsDeal with local optima (e.g. by SAW)Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution

×