cse507
play

CSE507 Computer-Aided Reasoning for Software Symbolic Execution - PowerPoint PPT Presentation

Feb 14, 2023 •393 likes •851 views

CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Bounded verification: forward VCG for finitized programs 2

  1. CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu

  2. Today 2

  3. Today Last lecture • Bounded verification: forward VCG for finitized programs 2

  4. Today Last lecture • Bounded verification: forward VCG for finitized programs Today • Symbolic execution: a path-based translation • Concolic testing 2

  5. The spectrum of program validation tools Static Analysis Verification Extended Static Bounded Verification Confidence Checking & Symbolic Execution Concolic Testing & Whitebox Fuzzing Ad-hoc Testing Cost (programmer effort, time, expertise) 3

  6. The spectrum of program validation tools Static Analysis Verification Extended Static Bounded Verification Confidence Checking & Symbolic Execution E.g., JPF, Klee Concolic Testing & Whitebox Fuzzing E.g., SAGE, Pex, CUTE, DART Ad-hoc Testing Cost (programmer effort, time, expertise) 3

  7. Symbolic execution 1976: A system to generate test data and symbolically execute programs (Lori Clarke) 1976: Symbolic execution and program testing (James King) 2005-present: practical symbolic execution • Using SMT solvers • Heuristics to control exponential explosion • Heap modeling and reasoning about pointers • Environment modeling • Dealing with solver limitations 4

  8. Classic symbolic execution def f (x, y): if (x > y): x = x + y y = x - y x = x - y if (x - y > 0): assert false return (x, y) 5

  9. Classic symbolic execution def f (x, y): if (x > y): x = x + y y = x - y x = x - y if (x - y > 0): assert false return (x, y) Execute the program on symbolic values . 5

  10. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): if (x > y): x = x + y y = x - y x = x - y if (x - y > 0): assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. 5

  11. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ Y if (x > y): x = x + y x ↦ X y = x - y y ↦ Y x = x - y if (x - y > 0): assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. 5

  12. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ Y if (x > y): x = x + y x ↦ X y = x - y y ↦ Y x = x - y if (x - y > 0): feasible assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  13. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): feasible assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  14. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  15. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  16. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 decisions taken so far. x ↦ Y All paths in the program form its execution tree , y ↦ X in which some paths are feasible and some are infeasible . 5

  17. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 decisions taken so far. x ↦ Y All paths in the program form its execution tree , y ↦ X in which some paths are feasible and some are infeasible . feasible 5

  18. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 Y - X > 0 decisions taken so far. x ↦ Y x ↦ Y All paths in the program form its execution tree , y ↦ X y ↦ X in which some paths are feasible and some are infeasible . feasible 5

  19. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 Y - X > 0 decisions taken so far. x ↦ Y x ↦ Y All paths in the program form its execution tree , y ↦ X y ↦ X in which some paths are feasible and some are infeasible . infeasible feasible 5

  20. Classic symbolic execution: practical issues 6

  21. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees 6

  22. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths 6

  23. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers 6

  24. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers Solver limitations: dealing with complex PCs 6

  25. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers Solver limitations: dealing with complex PCs Environment modeling: dealing with native / system / library calls 6

  26. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers Solver limitations: dealing with complex PCs Environment modeling: dealing with native / system / library calls 6

  27. Loops and recursion Dealing with infinite execution trees: • Finitize paths by limiting the size of PCs (bounded verification) • Use loop invariants (verification) 7

  28. Loops and recursion Dealing with infinite execution trees: • Finitize paths by limiting the size of PCs (bounded verification) • Use loop invariants (verification) init; while (C) { I B; } assert P; 7

  29. Loops and recursion Dealing with infinite execution trees: • Finitize paths by limiting the size of PCs (bounded verification) • Use loop invariants (verification) init; assert I; makeSymbolic(targets(B)); init; assume I; while (C) { if (C) { I B; B; } assert I; assert P; } else assert P; 7

  30. Path explosion Achieving good coverage in the presence of exponentially many paths: • Select next branch at random • Select next branch based on coverage • Interleave symbolic execution with random testing 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture The DPPL(T) framework for deciding quantifier-free SMT

986 views • 69 slides
CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Full functional verification with Dafny, Boogie, and Z3 2

809 views • 54 slides
CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today Last lecture Angelic nondeterminism and execution Today Program synthesis:

645 views • 15 slides
CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Symbolic execution and concolic testing 2 Today Last lecture

776 views • 62 slides
CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Program synthesis 2 Today Last lecture Program

1.77k views • 127 slides
CSE507 Computer-Aided Reasoning for Software Model Checking II

CSE507 Computer-Aided Reasoning for Software Model Checking II

CSE507 Computer-Aided Reasoning for Software Model Checking II courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Model checking basics 2 Today Last lecture Model

831 views • 55 slides
Informatics 2D Reasoning and Agents Semester 2, 20192020 Alex Lascarides

Informatics 2D Reasoning and Agents Semester 2, 20192020 Alex Lascarides

Introduction Planning with state-space search Partial-order planning Summary Informatics 2D Reasoning and Agents Semester 2, 20192020 Alex Lascarides alex@inf.ed.ac.uk Lecture 17 State-Space Search and Partial-Order Planning 27th

486 views • 23 slides
Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3 David S. Touretzky September, 2013 Basics of Control Theory Desired Control Controller Plant state signals Current state The plant

407 views • 25 slides
Semantic-Based Development of Service-Oriented Systems Martin Wirsing LMU Mnchen in

Semantic-Based Development of Service-Oriented Systems Martin Wirsing LMU Mnchen in

Semantic-Based Development of Service-Oriented Systems Martin Wirsing LMU Mnchen in Kooperation mit A. Clark 1 , S. Gilmore 1 , M. Hlzl 2 , A. Knapp 2 , N. Koch 2 , A. Schroeder 2 1 University of Edinburgh 2 LMU Mnchen YRSOC, Leicester,

513 views • 27 slides
A factor model for Forward Price Dynamics Paolo Foschi University of Bologna Padova 2013

A factor model for Forward Price Dynamics Paolo Foschi University of Bologna Padova 2013

A factor model for Forward Price Dynamics Paolo Foschi University of Bologna Padova 2013 Motivation Analyse, study and predict electricity forward prices on Italian Market Quotation on forward prices are available from GME, Gestore

340 views • 19 slides
The Postal Service Cost to Deliver Parcels on Letter Routes and Parcel Routes Robert Cohen and

The Postal Service Cost to Deliver Parcels on Letter Routes and Parcel Routes Robert Cohen and

The Postal Service Cost to Deliver Parcels on Letter Routes and Parcel Routes Robert Cohen and John Waller Brief Summary Develop street parcel delivery costs for letter and parcel routes Savings from delivery of parcels on letter routes is

210 views • 19 slides
Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death processes Biarth and death processes Bo Friis Nielsen 1 Limiting behaviour of birth and death processes Next week 1 DTU Informatics Finite state

309 views • 7 slides
Differential equations Programming of Differential Equations A differential equation (ODE)

Differential equations Programming of Differential Equations A differential equation (ODE)

5mm. Differential equations Programming of Differential Equations A differential equation (ODE) written in generic form: (Appendix E) u ( t ) = f ( u ( t ) , t ) Hans Petter Langtangen The solution of this equation is a function u ( t ) To

219 views • 4 slides
App.E: Programming of differential equations Hans Petter Langtangen 1 , 2 Joakim Sundnes 1 , 2

App.E: Programming of differential equations Hans Petter Langtangen 1 , 2 Joakim Sundnes 1 , 2

App.E: Programming of differential equations Hans Petter Langtangen 1 , 2 Joakim Sundnes 1 , 2 Simula Research Laboratory 1 University of Oslo, Dept. of Informatics 2 Nov 10, 2017 Plan for the rest of the fall (1) Friday November 10: Short quiz

849 views • 36 slides
The time complexity of Backprop; Auto-Diff; and the Baur-Strassen theorem Instructor: Sham Kakade

The time complexity of Backprop; Auto-Diff; and the Baur-Strassen theorem Instructor: Sham Kakade

CSE 446: Machine Learning Lecture The time complexity of Backprop; Auto-Diff; and the Baur-Strassen theorem Instructor: Sham Kakade 1 Multi-layer perceptrons We can specify an L -hidden layer network as follows: given outputs { z ( l ) j } from

321 views • 3 slides
s

s

s q s s

249 views • 6 slides
An approach to fully coupled FBSDEs via functional differential equations Matteo Casserini

An approach to fully coupled FBSDEs via functional differential equations Matteo Casserini

Brownian FBSDEs as functional differential equations Fully coupled forwardbackward stochastic dynamics Existence and uniqueness of solutions Related discretization algorithms for Brownian FBSDEs An approach to fully coupled FBSDEs via

760 views • 44 slides
Prr rt

Prr rt

Prr rt qts s Pttr t , sr rtr

973 views • 63 slides
An introduction to mathematical models in image processing with a focus on PDEs and optimization

An introduction to mathematical models in image processing with a focus on PDEs and optimization

ABCs of image processing Image and PDEs Image and optimization Optimization and dynamic differential system An introduction to mathematical models in image processing with a focus on PDEs and optimization techniques Yifei Lou Department of

1.16k views • 52 slides
ENTROPY FORMULATION FOR FORWARD-BACKWARD PARABOLIC EQUATION A.Terracina University La Sapienza,

ENTROPY FORMULATION FOR FORWARD-BACKWARD PARABOLIC EQUATION A.Terracina University La Sapienza,

ENTROPY FORMULATION FOR FORWARD- BACKWARD PARABOLIC EQUATION A. Terracina ENTROPY FORMULATION FOR FORWARD-BACKWARD PARABOLIC EQUATION A.Terracina University La Sapienza, Roma, Italy 25/06/2012 ENTROPY FORMULATION FOR Collaboration

897 views • 68 slides
Ordinary and partial differential equations Victor Eijkhout 335/394 fall 2011 ODEs and PDEs

Ordinary and partial differential equations Victor Eijkhout 335/394 fall 2011 ODEs and PDEs

Ordinary and partial differential equations Victor Eijkhout 335/394 fall 2011 ODEs and PDEs Time-evolving phenomena: IVP (Initial Value Problem), usually Ordinary Differential Equations Space-constraint phenomena: BVP (Boundary Value Problem),

713 views • 25 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

18: Axioms & Uniform Substitutions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 1

1.96k views • 170 slides
ODE / IV Problems CS3220 - Summer 2008 Jonathan Kaldor Differential Equations So far, we

ODE / IV Problems CS3220 - Summer 2008 Jonathan Kaldor Differential Equations So far, we

ODE / IV Problems CS3220 - Summer 2008 Jonathan Kaldor Differential Equations So far, we have looked at problems involving one or more variables, with either linear or nonlinear relationships between them A Differential Equation is

504 views • 39 slides
22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA The Secret for Simpler Sound Hybrid Systems

1.99k views • 181 slides

More recommend