combining partial evaluation and symbolic execution
play

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle - PowerPoint PPT Presentation

Aug 20, 2022 •360 likes •598 views

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle & Richard Bubel Chalmers University Symposium09 Speyer CONTROL CIRCUIT y = 80; threshold = 100; if (y > threshold) { decrease = true; } else { decrease = false;

  1. COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hähnle & Richard Bubel Chalmers University Symposium’09 Speyer

  2. CONTROL CIRCUIT y = 80; threshold = 100; if (y > threshold) { decrease = true; } else { decrease = false; } while ( | y-threshold | > eps) { y = decrease ? y-1 : y+1; }

  3. CONTROL-FLOW GRAPH y = 80 y = 80; threshold=100 threshold = 100; y>threshold ? if (y > threshold) { decrease = true; decrease = true; decrease = false; } else { decrease = false; } | y-threshold | > eps ? while ( | y-threshold | > eps) { decrease ? y = decrease ? y-1 : y+1; y=y-1; y=y+1; }

  4. PARTIAL EVALUATION Evaluator Evaluator y 80 threshold 100 Static information y = 80 decrease false propagated along CFG threshold=100 • constant propagation 80>100 ? false y>threshold ? • constant expression evaluation decrease = true; decrease = false; • dead-code elimination Evaluator Evaluator • other: type coercion, y - | y-threshold | > eps ? | y-100 | > eps ? threshold 100 safe dereferencing etc. decrease false decrease ? false y=y-1; y=y+1;

  5. PARTIAL EVALUATION A Bit More Realistic y = 80 threshold=100 threshold=100 y>100 ? y>threshold ? decrease = true; decrease = true; decrease = false; decrease = false; | y-threshold | > eps ? | y-100 | > eps ? decrease ? decrease ? y=y-1; y=y+1; y=y-1; y=y+1;

  6. SYMBOLIC EXECUTION threshold=100 y>threshold ? decrease = true; decrease = false; | y-threshold | > eps ? decrease ? y=y-1; y=y+1;

  7. SYMBOLIC EXECUTION threshold=100 threshold=100 y>threshold ? y>threshold ? decrease = true; decrease = false; decrease = true; decrease=false; | y-threshold | > eps ? | y-threshold | > eps ? | y-threshold | > eps ? decrease ? y=y-1; y=y+1; decrease ? decrease ? y=y-1; y=y+1; y=y-1; y=y+1; |y-threshold| > eps ? | y-threshold | > eps ? | y-threshold | > eps ? | y-threshold | > eps ? decrease ? decrease ? decrease ? decrease ? y=y+1; y=y+1; y=y+1; y=y+1; y=y-1; y=y-1; y=y-1; y=y-1;

  8. OPTIMIZING SYMBOLIC EXECUTION Symbolic Execution • unfolds control-flow graph into tree • unfeasible paths must be closed by first-order proof search interleave partial evaluation and symbolic execution

  9. INTERLEAVING threshold=100 threshold=100 y>threshold ? y>threshold ? y>100 ? decrease = true; decrease = false; decrease=false; decrease=true; | y-threshold | > eps ? decrease ? y=y-1; y=y+1; | y-threshold | > eps ? | y-threshold | > eps ? | y-100 | > eps ? | y-100 | > eps ? true false decrease ? decrease ? y=y-1; y=y+1; y=y-1; y=y+1; | y-threshold | > eps ? | y-100 | > eps ? | y-threshold | > eps ? | y-100 | > eps ? | y-threshold | > eps ? | y-100 | > eps ? | y-threshold | > eps ? | y-100 | > eps ? true true false false decrease ? decrease ? decrease ? decrease ? y=y+1; y=y+1; y=y+1; y=y-1; y=y-1; y=y+1; y=y-1; y=y-1;

  10. INTERLEAVING threshold=100 threshold=100 y>100 ? y>threshold ? decrease=true; decrease=false; decrease = true; decrease = false; | y-threshold | > eps ? | y-100 | > eps ? | y-100 | > eps ? decrease ? y=y-1; y=y+1; true false y=y-1; y=y+1; | y-100 | > eps ? | y-100 | > eps ? true false y=y-1; y=y+1;

  11. PROGRAM LOGIC Programming Language Simple OO-Programming Language • single inheritance • dereferencing null, division by zero etc. cause non- termination • dynamic method binding • no nested expressions

  12. PROGRAM LOGIC Syntax Dynamic Logic with Updates: (as usual) Specialisation operator ↓ : PrgEl × Upd × For → PrgEl where PrgEl = Statement ˙ ∪ Expression denotes a program equivalent to if is executed ( ↓ ) U p ϕ p p , in a state s satisfying and coinciding on U ϕ Examples: • x =( y ) ↓ ( y := 3 , true )+ 3 ; • ( x = o . a + 3 ) ↓ ( o.a := 10 , o != null )

  13. PROGRAM LOGIC Notions Signature Σ : Program variables and attributes are modelled as non-rigid constants and unary function symbols First-order structure ( D, I ) : • Domain : sorted universe (interpretes sorts) D • Interpretation : interpretes rigid function and I predicate symbols States : s ∈ S interpretes program variables and attributes

  14. PROGRAM LOGIC Signature Extension Partial Evaluation may extend the signature (temporary variables, anonymous updates ) p ↓ Σ ′⊇ Σ ( U , ϕ ) where and and β Σ ′ ⊇ β Σ ( D, I ) Σ ′ ⊇ ( D, I ) Σ s Σ ′ ⊇ s Σ

  15. PROGRAM LOGIC Soundness Condition on the Specialisation Operator p ↓ Σ ′⊇ Σ ( U , ϕ ) For all formulas over Σ for all ( D, I ) Σ ′ , s Σ ′ , β Σ ′ , : ψ ( D, I ) Σ ′ , s Σ ′ , β Σ ′ | = � � � p ↓ ( U , ϕ ) � ψ → {U} ( ϕ → � p � ψ )

  16. PROGRAM LOGIC Partial Evaluation Rules Correctness Rewrite Action Requirement if ( b ) { p } else { q } ↓ ( U , ϕ ) U ( ϕ → b . Dead-Code = true ) Elimination � p ↓ ( U , ϕ ) o . a ↓ ( U , ϕ ) Safe Field U ( ϕ → !( o . � = null )) Access @( o . a ) ↓ ( U , ϕ ) ⊢ respModStrong( p , mod ) Partial ( p ; q ) ↓ ( U , ϕ ) � U ′ := UV mod Evaluator p ↓ ( U , ϕ ); q ↓ ( U ′ , ϕ ′ ) ( D, I ) | = {U}{V mod } ϕ ′ Propagation ⇒ ( D, I ) | = {U} � p � ϕ

  17. PROGRAM LOGIC Partial Evaluator Introduction Rules Γ ⊢ U !( o . = null ) , ∆ Γ ⊢ U{ o . a := t } � q ↓ ( o . a := t , ! o . = null ) � φ , ∆ Γ ⊢ U � o . a = t ; q � φ , ∆ and several others

  18. PROGRAM LOGIC Type Inference Rules res = o . m ( a 1 , . . . , a n ) ↓ ( ϕ , U ) ⊢ U ( ϕ → o ! . = null & o ′ = o ↓ ( ϕ , U ) C :: instance ( o )) res = @(( C ) o ′ ) . m ( a 1 ↓ ( ϕ , U ) , . . . , a n ↓ ( ϕ , U ))

  19. PROGRAM LOGIC Type Inference Rules A A a = ...; a is an instance of C equals(Obj) boolean eq = a.equals(c); B C Evaluator equals(Obj) equals(Obj) ... equals(Obj) equals(Obj) equals(Obj) equals(Obj) equals(Obj) equals(Obj) equals(Obj) equals(Obj) equals(Obj)

  20. DEMO

  21. FUTURE WORK • Simplification of specifications ‣ Partial evaluation of contracts and loop invariants ‣ Applicable to JavaCardDL / JML / OCL • Investigate applicability to application engineering

  22. FUTURE WORK Application Engineering Model Driven Application Partial Architecture Engineering Evaluation Platform Productline Program Independent Artefacts p Model Platform Definition ( U , ϕ ) Feature Model Configuration Platform Specific Application ( ↓ ) U Model p ϕ ,

  23. CONCLUSION (for the moment) β y = 80; threshold = 100; if (y > threshold) { decrease = true; } else { decrease = false; } while (y-threshold > eps) { y = decrease ? y-1 : y+1; } partial eval. as replaced generalisation of computation ↓ proof search ⊢ β -reduction linear in by number of locs in computation ↓ Hoare/VCG

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with

Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with

Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with Reiner H ahnle and Richard Bubel Department of Computer Science and Engineering Chalmers University of Technology May 26, 2010

1.04k views • 90 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Symbolic Bayesian inference by lazy partial evaluation Chung-chieh Shan (Indiana University)

Symbolic Bayesian inference by lazy partial evaluation Chung-chieh Shan (Indiana University)

Symbolic Bayesian inference by lazy partial evaluation Chung-chieh Shan (Indiana University) Norman Ramsey (Tufts University) November 2015 This research was supported by DARPA grants FA8750-14-2-0007 and FA8750-14-C-0002, NSF grant

721 views • 34 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department of Computer Science Portland State University 1 Agenda Introduction Related work and Background Our Approach Evaluation

717 views • 32 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
tr t Prt

tr t Prt

tr t Prt t ss r P

873 views • 62 slides
Generic Programming, Partial Evaluation, and a New Programming Paradigm Dr. Christopher Landauer

Generic Programming, Partial Evaluation, and a New Programming Paradigm Dr. Christopher Landauer

vg-gppe.txt Sun Jan 3 20:59:22 1999 1 Generic Programming, Partial Evaluation, and a New Programming Paradigm Dr. Christopher Landauer Aerospace Integration Science Center The Aerospace Corporation cal@aero.org Dr. Kirstie L.

515 views • 22 slides
CS 525: Advanced Database convert answer Organisation logical query plan execute apply laws

CS 525: Advanced Database convert answer Organisation logical query plan execute apply laws

SQL query parse parse tree CS 525: Advanced Database convert answer Organisation logical query plan execute apply laws 08: Query Processing statistics Pi improved l.q.p Parsing and Analysis pick best estimate result sizes

323 views • 18 slides
Programming Abstractions Week 7-2: MiniScheme A and B Stephen Checkoway Structure of MiniScheme

Programming Abstractions Week 7-2: MiniScheme A and B Stephen Checkoway Structure of MiniScheme

Programming Abstractions Week 7-2: MiniScheme A and B Stephen Checkoway Structure of MiniScheme Environment env.rkt Contains the environment data type (env list-of-symbols list-of-values previous-env) Contains other procedures to

542 views • 24 slides
Occam : Automated Software Winnowing Gregory Malecha 1 Ashish Gehani 2 Natarajan Shankar 2 1

Occam : Automated Software Winnowing Gregory Malecha 1 Ashish Gehani 2 Natarajan Shankar 2 1

Occam : Automated Software Winnowing Gregory Malecha 1 Ashish Gehani 2 Natarajan Shankar 2 1 Harvard 2 SRI Malecha, Gehani, Shankar Occam : Automated Software Winnowing 1 / 18 A story of success... Software engineering has been so successful

1.25k views • 27 slides
Normalization by Evaluation for Martin-Lf Type Theory with One Universe Peter Dybjer,

Normalization by Evaluation for Martin-Lf Type Theory with One Universe Peter Dybjer,

Normalization Martin-Lf type theory Normalization algorithm Decidability of equality Normalization by Evaluation for Martin-Lf Type Theory with One Universe Peter Dybjer, Gteborg (with Andreas Abel, Munich, and Klaus Aehlig, Swansea)

616 views • 28 slides
Towards a Formal Semantics for FHM: Part 2 Joey Capper and Henrik Nilsson School of Computer

Towards a Formal Semantics for FHM: Part 2 Joey Capper and Henrik Nilsson School of Computer

Towards a Formal Semantics for FHM: Part 2 Joey Capper and Henrik Nilsson School of Computer Science, University of Nottingham FPLab Away Day, Buxton, 8th of July 2011 Joey Capper and Henrik Nilsson (UoN) Verified FHM Semantics FPLab Away Day

544 views • 30 slides
Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken Stanford University PLDI 2016 This Talk Example: mathematical specification Goal: Bound the difference between spec and implementation

1.22k views • 111 slides

More recommend