Symbolic Execution as DPLL Modulo Theories

1. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution as DPLL Modulo Theories Q. Sang Phan Queen Mary, University of London September 25, 2014 1 / 25

2. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Outline 1 Introduction 2 Background 3 Symbolic Execution as DPLL(T ) 4 A lightweight approach for Symbolic Execution 5 Conclusion 2 / 25

4. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution A program analysis technique that has several applications, in particular automated test generation. Executing programs with symbols instead of concrete inputs. 4 / 25

5. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution Academic: Imperial: KLEE EPFL: S2E UC Berkeley: CREST and BitBlaze UIUC: Cute, jCute . . . Industry: NASA: Symbolic PathFinder Microsoft: Pex, Sage, Yogi IBM: Apollo . . . 5 / 25

6. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Satis

7. ability Modulo Theories Decision problem for logical formulas over one or more

8. rst-order theories ' (:(x0 5) _ T1) ^ ((x0 5) _ T2) ^ (:(x0 5) _ (x1 = x0 + 1)) ^ (:(x1 3) _ T3) ^ (:(x1 3) _ (x2 = x1 1)) ^ ((x1 3) _ T4) ^ ((x1 3) _ (y1 = x1 + 1)) 6 / 25

9. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Satis

10. ability Modulo Theories Decision problem for logical formulas over one or more

11. rst-order theories ' (:(x0 5) _ T1) ^ ((x0 5) _ T2) ^ (:(x0 5) _ (x1 = x0 + 1)) ^ (:(x1 3) _ T3) ^ (:(x1 3) _ (x2 = x1 1)) ^ ((x1 3) _ T4) ^ ((x1 3) _ (y1 = x1 + 1)) Tools: Microsoft: Z3 NYU: CVC3 SRI: Yices . . . SMT competition: http://www.smtcomp.org/ 6 / 25

12. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution as an SMT solver Symbolic Execution can be viewed as an SMT solver 7 / 25

14. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion DPLL Modulo Theories The lazy approach for SMT SMT solver = SAT solver + T -solver SAT solver: implement DPLL algorithm T -solver: check satis

15. ability of conjunctions of literals 9 / 25

16. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion DPLL Modulo Theories The lazy approach for SMT SMT solver = SAT solver + T -solver SAT solver: implement DPLL algorithm T -solver: check satis

17. ability of conjunctions of literals DPLL-based SAT solver: a depth-

18. rst search procedure, using three main operations: decide: choose a literal l from the formula. propagate: remove all the clauses containing l , and deletes all occurrences of :l in the formula. backtrack: if encounter a con ict. 9 / 25

19. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Boolean Abstraction ' (:(x0 5) _ T1) ^ ((x0 5) _ T2) ^ (:(x0 5) _ (x1 = x0 + 1)) ^ (:(x1 3) _ T3) ^ (:(x1 3) _ (x2 = x1 1)) ^ ((x1 3) _ T4) ^ ((x1 3) _ (y1 = x1 + 1)) (x0 5), (x1 = x0 + 1), . . . : T -atoms T1;T2; : : : : Boolean atoms 10 / 25

20. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Boolean Abstraction ' (:(x0 5) _ T1) ^ ((x0 5) _ T2) ^ (:(x0 5) _ (x1 = x0 + 1)) ^ (:(x1 3) _ T3) ^ (:(x1 3) _ (x2 = x1 1)) ^ ((x1 3) _ T4) ^ ((x1 3) _ (y1 = x1 + 1)) (x0 5), (x1 = x0 + 1), . . . : T -atoms T1;T2; : : : : Boolean atoms Boolean abstraction of ': 'P (:G1 _ T1) ^ (G1 _ T2) ^ (:G1 _ A1) ^ (:G2 _ T3) ^ (:G2 _ A2) ^ (G2 _ T4) ^ (G2 _ A3) 10 / 25

21. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion DPLL-based SAT solver 'P (:G1 _ T1) ^ (G1 _ T2) ^ (:G1 _ A1) ^ (:G2 _ T3) ^ (:G2 _ A2) ^ (G2 _ T4) ^ (G2 _ A3) 0. P = True 'P 1. P = G1 'P = (:G2 _ T3) ^ (:G2 _ A2) ^ (G2 _ T4) ^ (G2 _ A3) 2. P = G1 ^ G2 'P = True ; T -solver() = Inconsistent 3. P = G1 'P = (:G2 _ T3) ^ (:G2 _ A2) ^ (G2 _ T4) ^ (G2 _ A3) 4. P = G1 ^ :G2 'P = True ; T -solver() = Consistent 11 / 25

22. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution pc ` c : execute the then path pc ` :c : execute the else path (pc 0 c) ^ (pc 0 :c): execute both paths then path: update pc1 = pc ^ c else path: update pc2 = pc ^ :c Use SMT solver to check satis

23. ability of path conditions 12 / 25

24. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution pc ` c : execute the then path pc ` :c : execute the else path (pc 0 c) ^ (pc 0 :c): execute both paths then path: update pc1 = pc ^ c else path: update pc2 = pc ^ :c Use SMT solver to check satis

25. ability of path conditions Observation SMT solver is used to solve conjunctions of literals ) the SAT solver is not used 12 / 25

26. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Implementation of Symbolic Execution Symbolic Executor = Boolean Executor + T -solver Boolean Executor: A depth-

27. rst search procedure, using three main operations: decide: choose a literal from the condition. update: execute block of code on that path. backtrack: if reach the leaf of the symbolic execution tree. 13 / 25

29. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Transition System A bounded Static Single Assignment program: P (S; I ; G;A;T) S: the set of symbolic states I S : the set of initial symbolic states G : the set of guards A : the set of action Actions do not update computer memory: presented by Boolean atoms. Actions update computer memory: presented by T -atoms. T S G A S: the transition function 15 / 25

30. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Program to formula tij = hsi ; gij ; aij ; sj i 2 T: si ! sj by action aij under guard gij 16 / 25

31. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Program to formula tij = hsi ; gij ; aij ; sj i 2 T: si ! sj by action aij under guard gij Encode the transition into a formula: tij gij ! aij or equally tij :gij _ aij 16 / 25

32. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Program to formula tij = hsi ; gij ; aij ; sj i 2 T: si ! sj by action aij under guard gij Encode the transition into a formula: tij gij ! aij or equally tij :gij _ aij A program trace: t01 ^ t12 ^ ^ t(k1)k = (:g01 _ a01) ^ (:g12 _ a12) ^ (:g(k1)k _ a(k1)k ) 16 / 25

33. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Program to formula tij = hsi ; gij ; aij ; sj i 2 T: si ! sj by action aij under guard gij Encode the transition into a formula: tij gij ! aij or equally tij :gij _ aij A program trace: t01 ^ t12 ^ ^ t(k1)k = (:g01 _ a01) ^ (:g12 _ a12) ^ (:g(k1)k _ a(k1)k ) Program semantics: all possible traces ' = ^ tij2T tij = ^ tij2T (:gij _ aij ) 16 / 25

34. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Transition System: Example void test ( int x, int y){ if(x 5){ x ++; if (x 3) x --; else y = x + 1; } } s0 x0 5 T1 s1 s2 s3 s4 s5 s6 s7 ¬(x0 5) T2 x0 5 x1 = x0 + 1 x1 3 T3 ¬(x1 3) T4 x1 3 ¬(x1 3) x2 = x1 − 1 y1 = x1 + 1 17 / 25

35. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Transition System: Example void test ( int x, int y){ if(x 5){ x ++; if (x 3) x --; else y = x + 1; } } s0 x0 5 T1 s1 s2 s3 s4 s5 s6 s7 ¬(x0 5) T2 x0 5 x1 = x0 + 1 x1 3 T3 ¬(x1 3) T4 x1 3 ¬(x1 3) x2 = x1 − 1 y1 = x1 + 1 ' (:(x0 5) _ T1) ^ ((x0 5) _ T2) ^ (:(x0 5) _ (x1 = x0 + 1)) ^ (:(x1 3) _ T3) ^ (:(x1 3) _ (x2 = x1 1)) ^ ((x1 3) _ T4) ^ ((x1 3) _ (y1 = x1 + 1)) 17 / 25

36. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution vs SMT solver Symbolic Execution Symbolic Executor = Boolean Executor + T -solver Boolean Executor: a depth-

37. rst search procedure, using three main operations: decide, update, backtrack SMT solver SMT solver = SAT solver + T -solver DPLL-based SAT solver: a depth-

38. rst search procedure, using three main operations: decide, propagate, backtrack 18 / 25

40. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution vs SMT solver Symbolic Execution returns all symbolic path. SMT solvers return only one model. ! Use an SMT solver that can return all models for Symbolic Execution ! The only SMT solver known to generate all models: MathSAT 20 / 25

41. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution via All-SMT 'P := (:G1 _ T1) ^ (G1 _ T2) ^ (:G1 _ A1) ^ (:G2 _ T3) ^ (:G2 _ A2) ^ (G2 _ T4) ^ (G2 _ A3) 1 (assert (= ( x0 5) G1)) 8 (assert (or (not G1) A1)) 2 (assert (= ( x1 3) G2)) 9 (assert (or (not G2) T3)) 3 (assert (= (= x1 (+ x0 1)) A1)) 10 (assert (or (not G2) A2)) 4 (assert (= (= x2 ( x1 1)) A2)) 11 (assert (or G2 T4)) 5 (assert (= (= y1 (+ x1 1)) A2)) 12 (assert (or G2 A3)) 6 (assert (or (not G1) T1)) 13 (check-allsat (G1 G2)) 7 (assert (or G1 T2)) 21 / 25

42. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Symbolic Execution via All-SMT (G1 G2): (True,False), (False,True) and (False,False) s0 x0 5 T1 s1 s2 s3 s4 s5 s6 s7 ¬(x0 5) T2 x0 5 x1 = x0 + 1 x1 3 T3 ¬(x1 3) T4 x1 3 ¬(x1 3) x2 = x1 − 1 y1 = x1 + 1 22 / 25

44. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion Conclusion Symbolic Execution can be viewed as an SMT solver Exploit techniques developed for Symbolic Execution to SMT. Exploit techniques developed for SMT for Symbolic Execution. A lightweight approach for Symbolic Execution based on All-SMT solver 24 / 25

45. Introduction Background Symbolic Execution as DPLL(T ) A lightweight approach for Symbolic Execution Conclusion THANK YOU FOR YOUR ATTENTION! 25 / 25

Symbolic Execution as DPLL Modulo Theories

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Symbolic Execution as DPLL Modulo Theories

Similar to Symbolic Execution as DPLL Modulo Theories (20)

More from Quoc-Sang Phan

More from Quoc-Sang Phan (7)

Recently uploaded

Recently uploaded (20)

Symbolic Execution as DPLL Modulo Theories