implementing partial evaluator via symbolic execution
play

Implementing Partial Evaluator Via Symbolic Execution (Work in - PowerPoint PPT Presentation

Aug 16, 2022 •133 likes •1.04k views

Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with Reiner H ahnle and Richard Bubel Department of Computer Science and Engineering Chalmers University of Technology May 26, 2010

  1. Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with Reiner H¨ ahnle and Richard Bubel Department of Computer Science and Engineering Chalmers University of Technology May 26, 2010 www.key-project.org www.hats-project.eu Ran Ji KeY’10 100526 1 / 19

  2. Outline ◮ Introduction to partial evaluation ◮ Interleaving symbolic execution and partial evaluation ◮ Implementing partial evaluator via symbolic execution ◮ Summary Ran Ji KeY’10 100526 2 / 19

  3. Partial Evaluation Theorem ( s mn Theorem, Kleene, 1943) Let f ( � y ) be a computable function with � x = x 1 , . . . , x m , � y = y 1 , . . . , y n . x ,� There is an m + 1 -ary primitive recursive function s m n such that: x ) = λ� y . f ( � y ) φ s m x ,� n ( f ,� Proof. Choose s m n such that φ s m x ) binds the first m free variables of f to the n ( f ,� first m arguments, then run f . Ran Ji KeY’10 100526 3 / 19

  4. Partial Evaluation Theorem ( s mn Theorem, Kleene, 1943) Let f ( � y ) be a computable function with � x = x 1 , . . . , x m , � y = y 1 , . . . , y n . x ,� There is an m + 1 -ary primitive recursive function s m n such that: x ) = λ� y . f ( � y ) φ s m x ,� n ( f ,� Proof. Choose s m n such that φ s m x ) binds the first m free variables of f to the n ( f ,� first m arguments, then run f . Research Programme of Partial Evaluation Prove the s mn Theorem in a non-trivial way such that: 1 φ s m x ) is more efficient than f n ( f ,� 2 for programs, not only functions Ran Ji KeY’10 100526 3 / 19

  5. Partial Evaluation, Cont’d Program specialization with optimization as goal ◮ Intended to be fully automatic (cf. program transformation) ◮ Research started 1964ff, 1980s “golden time” ◮ Mainly used in functional/logic programming ◮ Mainly used in compilation, compiler generation, meta-interpretation ◮ Techniques: • folding, constant propagation • binding time analysis (what can be considered as static?) • program point specialization (define+fold) • symbolic execution ◮ side effects, dynamic calls, aliases — gets ugly and somewhat ad hoc ◮ Seemingly no advanced PE for recent Java available (JSpec dead?) Ran Ji KeY’10 100526 4 / 19

  6. Symbolic Execution or Partial Evaluation Both viewed as generalization of standard program execution Ran Ji KeY’10 100526 5 / 19

  7. Symbolic Execution or Partial Evaluation Both viewed as generalization of standard program execution Symbolic Execution Execution of one program run with symbolic values Ran Ji KeY’10 100526 5 / 19

  8. Symbolic Execution or Partial Evaluation Both viewed as generalization of standard program execution Symbolic Execution Execution of one program run with symbolic values Partial Evaluation static input � x partial target evaluator program p mix dynamic specialized pro- specialized output input � gram p � program p � y x x Ran Ji KeY’10 100526 5 / 19

  9. Symbolic Execution and Partial Evaluation: Opportunities Ran Ji KeY’10 100526 6 / 19

  10. Symbolic Execution and Partial Evaluation: Opportunities ◮ Symbolic execution cannot specialize its target code: employ partial evaluation Ran Ji KeY’10 100526 6 / 19

  11. Symbolic Execution and Partial Evaluation: Opportunities ◮ Symbolic execution cannot specialize its target code: employ partial evaluation Interleaving symbolic execution and partial evaluation, to boost the performance of symbolic execution (FMCO’09) Ran Ji KeY’10 100526 6 / 19

  12. Symbolic Execution and Partial Evaluation: Opportunities ◮ Symbolic execution cannot specialize its target code: employ partial evaluation Interleaving symbolic execution and partial evaluation, to boost the performance of symbolic execution (FMCO’09) ◮ Partial evaluation approximates operational semantics: gain precision with complete symbolic execution engine Ran Ji KeY’10 100526 6 / 19

  13. Symbolic Execution and Partial Evaluation: Opportunities ◮ Symbolic execution cannot specialize its target code: employ partial evaluation Interleaving symbolic execution and partial evaluation, to boost the performance of symbolic execution (FMCO’09) ◮ Partial evaluation approximates operational semantics: gain precision with complete symbolic execution engine Interleaving symbolic execution and partial evaluation, to achieve a sophisticated partial evaluator (Work in progress!) Ran Ji KeY’10 100526 6 / 19

  14. Running Example: Control Circuit y = 80; threshold = 100; if (y > threshold) { decrease = true ; } else { decrease = false ; } while ( | y − threshold | > eps) { y = decrease ? y − 1 : y+1; } Ran Ji KeY’10 100526 7 / 19

  15. Control-Flow Graph (CFG) y=80 y = 80; threshold=100 threshold = 100; y > threshold ? if (y > threshold) decrease= true decrease= false { decrease = true ; } else { decrease = false ; } | y − threshold | > eps ? while ( | y − threshold | > eps) { decrease ? y = decrease ? y − 1 : y+1; y=y − 1 y=y+1 } • • Ran Ji KeY’10 100526 8 / 19

  16. Partial Evaluation On CFG y=80 Variables Value y threshold=100 threshold y > threshold ? decrease decrease= true decrease= false Static information propagated along CFG: | y − threshold | > eps ? decrease ? y=y − 1 y=y+1 • • Ran Ji KeY’10 100526 9 / 19

  17. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold y > threshold ? decrease decrease= true decrease= false Static information propagated along CFG: | y − threshold | > eps ? decrease ? y=y − 1 y=y+1 • • Ran Ji KeY’10 100526 9 / 19

  18. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold 100 y > threshold ? decrease decrease= true decrease= false Static information propagated along CFG: | y − threshold | > eps ? decrease ? y=y − 1 y=y+1 • • Ran Ji KeY’10 100526 9 / 19

  19. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold 100 80 > 100 ? decrease decrease= true decrease= false Static information propagated along CFG: | y − threshold | > eps ? ◮ constant propagation decrease ? y=y − 1 y=y+1 • • Ran Ji KeY’10 100526 9 / 19

  20. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold 100 decrease false decrease= true decrease= false Static information propagated along CFG: | y − threshold | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 • • Ran Ji KeY’10 100526 9 / 19

  21. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold 100 decrease false decrease= false Static information propagated along CFG: | y − threshold | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  22. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − threshold | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  23. Partial Evaluation On CFG y=80 Variables Value y 80 threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − threshold | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  24. Partial Evaluation On CFG y=80 Variables Value y - threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − threshold | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  25. Partial Evaluation On CFG y=80 Variables Value y - threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − 100 | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  26. Partial Evaluation On CFG y=80 Variables Value y - threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − 100 | > eps ? ◮ constant propagation ◮ constant expression decrease ? evaluation y=y − 1 y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  27. Partial Evaluation On CFG y=80 Variables Value y - threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − 100 | > eps ? ◮ constant propagation ◮ constant expression false evaluation y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

  28. Partial Evaluation On CFG y=80 Variables Value y - threshold=100 threshold 100 decrease false false decrease= false Static information propagated along CFG: | y − 100 | > eps ? ◮ constant propagation ◮ constant expression false evaluation y=y+1 ◮ dead code elimination • • Ran Ji KeY’10 100526 9 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle & Richard Bubel Chalmers

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle & Richard Bubel Chalmers

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle & Richard Bubel Chalmers University Symposium09 Speyer CONTROL CIRCUIT y = 80; threshold = 100; if (y > threshold) { decrease = true; } else { decrease = false;

598 views • 23 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
D EEP B ELIEF N ETWORKS (DBN S ) Deep belief nets are probabilistic generative models that are

D EEP B ELIEF N ETWORKS (DBN S ) Deep belief nets are probabilistic generative models that are

R ESTRICTED B OLTZMANN M ACHINES AND D EEP B ELIEF N ETWORKS ON M ULTI -C ORE P ROCESSORS Jo Noel Lopes Bernardete Ribeiro ao Gonc alves University of Coimbra Polytechnic Institute of Guarda June 11, 2012 WCCIIJCNN D EEP B ELIEF N

692 views • 50 slides
T-duality Invariant Formalisms at the Quantum Level Daniel Thompson Queen Mary University of

T-duality Invariant Formalisms at the Quantum Level Daniel Thompson Queen Mary University of

Introduction Duality Invariant Formalisms for Abelian T-duality Renormalisation of Duality Invariant Formalism Generalising T-duality Invariant Constructions Conclusions T-duality Invariant Formalisms at the Quantum Level Daniel Thompson

424 views • 28 slides
Edaphobase a new online soil-zoological data warehouse U. Burkhardt, D.J. Russell, H. Hfer, S.

Edaphobase a new online soil-zoological data warehouse U. Burkhardt, D.J. Russell, H. Hfer, S.

Edaphobase a new online soil-zoological data warehouse U. Burkhardt, D.J. Russell, H. Hfer, S. Lesch, S. Rick, J. Rmbke, W.E.R. Xylander et al. http://portal.edaphobase.org/ Edaphobase: currently included taxa Nematoda Lumbricidae

249 views • 14 slides
The boundary element method discretised with the space-time method for the heat equation in 2D 1

The boundary element method discretised with the space-time method for the heat equation in 2D 1

The boundary element method discretised with the space-time method for the heat equation in 2D 1 Kazuki Niino, Olaf Steinbach TU Graz 2 Background Space-time method for a BEM Flexible mesh Stability Large coefficient matrix

286 views • 27 slides
Generating Wannier Function within OpenMX Hongming Weng ( ) Institute of Physics,

Generating Wannier Function within OpenMX Hongming Weng ( ) Institute of Physics,

Generating Wannier Function within OpenMX Hongming Weng ( ) Institute of Physics, Chinese Academy of Sciences July. 2-12, 2018@ISSP Wave-function in Solids periodical boundary condition 1, Bloch representation R ] = 0 n k (r)

290 views • 28 slides
SMO Algorithm Milan Straka December 02, 2019 Charles University in Prague Faculty of

SMO Algorithm Milan Straka December 02, 2019 Charles University in Prague Faculty of

NPFL129, Lecture 7 SMO Algorithm Milan Straka December 02, 2019 Charles University in Prague Faculty of Mathematics and Physics Institute of Formal and Applied Linguistics unless otherwise stated Kernel Linear Regression 3 O ( D ) D When

935 views • 22 slides
Soft-margin SVM, SMO Algorithm, Decision Trees Milan Straka November 25, 2019 Charles

Soft-margin SVM, SMO Algorithm, Decision Trees Milan Straka November 25, 2019 Charles

NPFL129, Lecture 6 Soft-margin SVM, SMO Algorithm, Decision Trees Milan Straka November 25, 2019 Charles University in Prague Faculty of Mathematics and Physics Institute of Formal and Applied Linguistics unless otherwise stated Kernel

1.09k views • 27 slides
Max-Margin Markov Networks Ben Taskar Carlos Guestrin Daphne Koller Main Contribution The

Max-Margin Markov Networks Ben Taskar Carlos Guestrin Daphne Koller Main Contribution The

Max-Margin Markov Networks Ben Taskar Carlos Guestrin Daphne Koller Main Contribution The authors combine a graphic model and a discriminative model and apply it in a sequential learning setting. Graphic models: better at

222 views • 8 slides

More recommend