Dealing with complex constraints in symbolic execution
1.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionDealing with constraints in symbolic executionBernhard MallingerProgramming Languages Seminar SS13TU WienJune 11th, 2013Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
2.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
3.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
4.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraints in Symbolic ExecutionConstraints on variables are collected by analysing code:1 i f (preproc) {2 i f (extensive_preproc) {3 // extensive preprocessing4 }5 }extensive preprocessing-block is reached iﬀPC ∧ preproc ∧ extensive_preproc is satisﬁable⇒ Unreachability test⇒ Test case generatorBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
5.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolversDepending on code, diﬀerent kinds solvers are eﬃcientLinear arithmeticComplex functionsGeneral, unstructured constraints. . .Tremendous speedup in recent years (SAT)Especially continuous functions still not solvableConstraint solving dominates runtimeBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
6.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
7.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenceIn the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postprocVariables related if appear in same constraint⇒ Reachability problemBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
8.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenceIn the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postprocVariables related if appear in same constraint⇒ Reachability problemBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
9.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConstraint independenceConstraint independenceIn the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postprocVariables related if appear in same constraint⇒ Reachability problemBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
10.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingMultiple queries contain same independent groups ofconstraints ⇒ simply cache resultsMore elaborate: exploit repetitions in path conditions:1 i f (preproc) {2 i f (extensive_preproc) {3 // do extensive preprocessing4 }5 }PC ∧ preprocPC ∧ preproc ∧ extensive_preprocBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
11.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisﬁable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
12.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisﬁable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
13.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisﬁable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
14.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionSolution cachingSolution cachingConstraint SolutionC1 = {preproc} S1 = {preproc → 1}C2 = {preproc, ext_preproc} S2 = {preproc → 1,ext_preproc → 1}C3 = {preproc, ¬preproc} XC4 = {preproc, ¬preproc, postproc } XS2 is a solution to C1 due to C1 ⊆ C2Since C3 is unsatisﬁable, so is C4 as C3 ⊆ C4S2 often is an extension of S1 since C1 ⊆ C2Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
15.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionIncremental solvingIncremental solvingIn queries generated in symbolic execution, often only the lastpredicates diﬀer1 i f (postproc) {2 i f (fancy_output) {3 // print fancy statistics4 }5 }PC ∧ postprocPC ∧ postproc ∧ fancy_outputDetermine set of variables which are dependent of variables inlast predicate, solve them and else reuse old solutionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
16.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionIncremental solvingEmpirical resultsFigure: Performance with and without the solution cache and constraintindependence optimisation in KLEE. Source: Cadar et al., 2008Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
17.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
18.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionMotivationMotivationStill many unsolvable path conditionsCan’t search exhaustively, so guess smartly, improve guessesReasonable way of “thinking”?Reinterpret decision problem as optimisation problemMinimise violationsNew precondition: Locality in solution spaceWorks for all domains, given localityBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
19.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionMotivationMetaheuristicsRandom initial solutions probably contain viable fragmentsOptimise given invalid solutions by local searchCombine promising solutionsSteer towards regions of high objective valueBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
20.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORALxtan(y)+ z < x ∗ arctan(z) ∧sin(y) + cos(y) + tan(y) ≥ x − z ∧arctan(x) + arctan(y) > yBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
21.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORALFocus on ﬂoating point computationSolves constraints by particle swarm optimisation (populationbased metaheuristic)Generates initial solutions randomly in range determined byinterval solver“Solves all constraints that exact solvers manage and more”Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
22.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORAL: Stepwise Adaptive WeightingSolutions with even minimal constraint violations are stillinfeasibleAvoiding local optima is criticalStepwise Adaptive Weighting (SAW)Change objective function dynamically during runtimeReward solutions that satisfy hard-to-solve constraintsBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
23.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionCORALCORAL: Stepwise Adaptive WeightingSolutions with even minimal constraint violations are stillinfeasibleAvoiding local optima is criticalStepwise Adaptive Weighting (SAW)Change objective function dynamically during runtimeReward solutions that satisfy hard-to-solve constraintsBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
24.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionOutline1 Constraints in Symbolic Execution2 OptimisationsConstraint independenceSolution cachingIncremental solving3 Heuristic ApproachMotivationCORAL4 ConclusionBernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
25.
Constraints in Symbolic Execution Optimisations Heuristic Approach ConclusionConclusionConstraint solving dominates runtime of symbolic executionUnsolvable constraints severely hinder symbolic executionSome optimisations:Constraint independenceSolution cachingIncremental solvingHarder constraints can/have to be solved (meta-)heuristicallyNavigate reasonably, not exhaustively through search spaceTry to goal-orientedly optimise infeasible solutionsDeal with local optima (e.g. by SAW)Bernhard Mallinger Programming Languages Seminar SS13 TU WienDealing with constraints in symbolic execution
Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.
Be the first to comment