Implementing Partial Evaluator Via Symbolic Execution (Work in - - PowerPoint PPT Presentation

Implementing Partial Evaluator Via Symbolic Execution (Work in Progress)

Ran Ji

Joint work with Reiner H¨ ahnle and Richard Bubel

Department of Computer Science and Engineering Chalmers University of Technology May 26, 2010 www.key-project.org www.hats-project.eu

Ran Ji KeY’10 100526 1 / 19

Outline

◮ Introduction to partial evaluation ◮ Interleaving symbolic execution and partial evaluation ◮ Implementing partial evaluator via symbolic execution ◮ Summary

Ran Ji KeY’10 100526 2 / 19

Partial Evaluation

Theorem (smn Theorem, Kleene, 1943) Let f ( x, y) be a computable function with x = x1, . . . , xm, y = y1, . . . , yn. There is an m + 1-ary primitive recursive function sm

n such that:

φsm

n (f ,

x) = λ

y.f ( x, y) Proof. Choose sm

n such that φsm

n (f ,

x) binds the first m free variables of f to the

first m arguments, then run f .

Ran Ji KeY’10 100526 3 / 19

Partial Evaluation

Theorem (smn Theorem, Kleene, 1943) Let f ( x, y) be a computable function with x = x1, . . . , xm, y = y1, . . . , yn. There is an m + 1-ary primitive recursive function sm

n such that:

φsm

n (f ,

x) = λ

y.f ( x, y) Proof. Choose sm

n such that φsm

n (f ,

x) binds the first m free variables of f to the

first m arguments, then run f . Research Programme of Partial Evaluation Prove the smn Theorem in a non-trivial way such that:

1 φsm n (f ,

x) is more efficient than f

2 for programs, not only functions Ran Ji KeY’10 100526 3 / 19

Partial Evaluation, Cont’d

Program specialization with optimization as goal

◮ Intended to be fully automatic (cf. program transformation) ◮ Research started 1964ff, 1980s “golden time” ◮ Mainly used in functional/logic programming ◮ Mainly used in compilation, compiler generation, meta-interpretation ◮ Techniques:

• folding, constant propagation
• binding time analysis (what can be considered as static?)
• program point specialization (define+fold)
• symbolic execution

◮ side effects, dynamic calls, aliases — gets ugly and somewhat ad hoc ◮ Seemingly no advanced PE for recent Java available (JSpec dead?)

Ran Ji KeY’10 100526 4 / 19

Symbolic Execution or Partial Evaluation

Both viewed as generalization of standard program execution

Ran Ji KeY’10 100526 5 / 19

Symbolic Execution or Partial Evaluation

Both viewed as generalization of standard program execution Symbolic Execution Execution of one program run with symbolic values

Ran Ji KeY’10 100526 5 / 19

Symbolic Execution or Partial Evaluation

Both viewed as generalization of standard program execution Symbolic Execution Execution of one program run with symbolic values Partial Evaluation partial evaluator mix static input

• x

specialized pro- gram p

x

specialized program p

x

• utput

dynamic input y target program p

Ran Ji KeY’10 100526 5 / 19

Symbolic Execution and Partial Evaluation: Opportunities

Ran Ji KeY’10 100526 6 / 19

Symbolic Execution and Partial Evaluation: Opportunities

◮ Symbolic execution cannot specialize its target code:

employ partial evaluation

Ran Ji KeY’10 100526 6 / 19

Symbolic Execution and Partial Evaluation: Opportunities

◮ Symbolic execution cannot specialize its target code:

employ partial evaluation Interleaving symbolic execution and partial evaluation, to boost the performance of symbolic execution (FMCO’09)

Ran Ji KeY’10 100526 6 / 19

Symbolic Execution and Partial Evaluation: Opportunities

◮ Symbolic execution cannot specialize its target code:

employ partial evaluation Interleaving symbolic execution and partial evaluation, to boost the performance of symbolic execution (FMCO’09)

◮ Partial evaluation approximates operational semantics:

gain precision with complete symbolic execution engine

Ran Ji KeY’10 100526 6 / 19

Symbolic Execution and Partial Evaluation: Opportunities

◮ Symbolic execution cannot specialize its target code:

employ partial evaluation Interleaving symbolic execution and partial evaluation, to boost the performance of symbolic execution (FMCO’09)

◮ Partial evaluation approximates operational semantics:

gain precision with complete symbolic execution engine Interleaving symbolic execution and partial evaluation, to achieve a sophisticated partial evaluator (Work in progress!)

Ran Ji KeY’10 100526 6 / 19

Running Example: Control Circuit

y = 80; threshold = 100; if (y > threshold) { decrease = true; } else { decrease = false; } while (|y−threshold| > eps) { y = decrease ? y−1 : y+1; }

Ran Ji KeY’10 100526 7 / 19

Control-Flow Graph (CFG)

y=80 threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• y = 80;

threshold = 100; if (y > threshold) { decrease = true; } else { decrease = false;} while (|y−threshold| > eps) { y = decrease ? y−1 : y+1; }

Ran Ji KeY’10 100526 8 / 19

Partial Evaluation On CFG

y=80 threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y threshold decrease Static information propagated along CFG:

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold decrease Static information propagated along CFG:

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold 100 decrease Static information propagated along CFG:

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 80>100 ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold 100 decrease Static information propagated along CFG:

◮ constant propagation

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold 100 decrease Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold 100 decrease Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold 100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y 80 threshold 100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y

• threshold

100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−100| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y

• threshold

100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−100| > eps ? decrease ? y=y−1 y=y+1

• Variables

Value y

• threshold

100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−100| > eps ? false y=y+1

• Variables

Value y

• threshold

100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−100| > eps ? false y=y+1

• Variables

Value y

• threshold

100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination

Ran Ji KeY’10 100526 9 / 19

Partial Evaluation On CFG

y=80 threshold=100 false decrease=false |y−100| > eps ? false y=y+1

• Variables

Value y

• threshold

100 decrease false Static information propagated along CFG:

◮ constant propagation ◮ constant expression

evaluation

◮ dead code elimination ◮ also: type coercion,

safe dereferencing, etc.

Ran Ji KeY’10 100526 9 / 19

Same Example But More Realistic

y=80 threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Ran Ji

KeY’10 100526 10 / 19

Same Example But More Realistic

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• Ran Ji

KeY’10 100526 10 / 19

Same Example But More Realistic

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold| > eps ? decrease ? y=y−1 y=y+1

• mix

threshold=100 y>100 ? decrease=true decrease=false |y−100| > eps ? decrease ? y=y−1 y=y+1

• Ran Ji

KeY’10 100526 10 / 19

Symbolic Execution: Unwinding the CFG

threshold=100

Ran Ji KeY’10 100526 11 / 19

Symbolic Execution: Unwinding the CFG

threshold=100 y>threshold ?

Ran Ji KeY’10 100526 11 / 19

Symbolic Execution: Unwinding the CFG

threshold=100 y>threshold ? decrease=true decrease=false

Ran Ji KeY’10 100526 11 / 19

Symbolic Execution: Unwinding the CFG

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

Ran Ji KeY’10 100526 11 / 19

Symbolic Execution: Unwinding the CFG

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 Ran Ji KeY’10 100526 11 / 19

Symbolic Execution: Unwinding the CFG

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 Ran Ji KeY’10 100526 11 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>threshold ? decrease=true decrease=false |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−threshold|>eps ? |y−threshold|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

mix

Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>100 ? decrease=true decrease=false |y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

mix

Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>100 ? decrease=true decrease=false |y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>100 ? decrease=true decrease=false |y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

|y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1 |y−100|>eps ? |y−100|>eps ? decrease ? decrease ? y=y−1 y=y+1 y=y−1 y=y+1

mix mix

Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>100 ? decrease=true decrease=false |y−100|>eps ? |y−100|>eps ? true false y=y−1 y=y+1 y=y−1 y=y+1

|y−100|>eps ? |y−100|>eps ? true true y=y−1 y=y+1 y=y−1 y=y+1 |y−100|>eps ? |y−100|>eps ? false false y=y−1 y=y+1 y=y−1 y=y+1

mix mix

Ran Ji KeY’10 100526 12 / 19

Interleaving Symbolic Execution and Partial Evaluation

threshold=100 y>100 ? decrease=true decrease=false |y−100|>eps ? |y−100|>eps ? true false y=y−1 y=y+1

|y−100|>eps ? true y=y−1 |y−100|>eps ? false y=y+1

mix mix

Ran Ji KeY’10 100526 12 / 19

A Partial Evaluator for Java based on Symbolic Execution

Work in progress

Up-to-now: Partial evaluation used to speed up symbolic execution More technical details refer to FMCO’09 paper Can we obtain a partial evaluator for Java programs?

Ran Ji KeY’10 100526 13 / 19

A Partial Evaluator for Java based on Symbolic Execution

Work in progress

Up-to-now: Partial evaluation used to speed up symbolic execution More technical details refer to FMCO’09 paper Can we obtain a partial evaluator for Java programs? Basic approach: Interleave symbolic execution and partial evaluation as before

Ran Ji KeY’10 100526 13 / 19

A Partial Evaluator for Java based on Symbolic Execution

Work in progress

Up-to-now: Partial evaluation used to speed up symbolic execution More technical details refer to FMCO’09 paper Can we obtain a partial evaluator for Java programs? Basic approach: Interleave symbolic execution and partial evaluation as before After exhaustive symbolic execution:

◮ Collect simplified statements along execution path

Ran Ji KeY’10 100526 13 / 19

A Partial Evaluator for Java based on Symbolic Execution

Work in progress

Up-to-now: Partial evaluation used to speed up symbolic execution More technical details refer to FMCO’09 paper Can we obtain a partial evaluator for Java programs? Basic approach: Interleave symbolic execution and partial evaluation as before After exhaustive symbolic execution:

◮ Collect simplified statements along execution path ◮ Merge execution paths:

• Introducing conditional statements

Ran Ji KeY’10 100526 13 / 19

A Partial Evaluator for Java based on Symbolic Execution

Work in progress

Up-to-now: Partial evaluation used to speed up symbolic execution More technical details refer to FMCO’09 paper Can we obtain a partial evaluator for Java programs? Basic approach: Interleave symbolic execution and partial evaluation as before After exhaustive symbolic execution:

◮ Collect simplified statements along execution path ◮ Merge execution paths:

• Introducing conditional statements
• Exploiting dynamic dispatch

Ran Ji KeY’10 100526 13 / 19

A Partial Evaluator for Java based on Symbolic Execution

Work in progress

Up-to-now: Partial evaluation used to speed up symbolic execution More technical details refer to FMCO’09 paper Can we obtain a partial evaluator for Java programs? Basic approach: Interleave symbolic execution and partial evaluation as before After exhaustive symbolic execution:

◮ Collect simplified statements along execution path ◮ Merge execution paths:

• Introducing conditional statements
• Exploiting dynamic dispatch
• Generalization of expressions

Ran Ji KeY’10 100526 13 / 19

Basic Approach

Program CFG SE+PE Merge Point Generalization Rigid Statement Elimination Specialized Program

Ran Ji KeY’10 100526 14 / 19

Example: Binary operators and a power function

abstract class Binary { abstract int eval(int x,int y); abstract int neutral(); } class Add extends Binary { int eval(int x,int y) { return x+y; } int neutral() { return 0; } } class Mult extends Binary { int eval(int x,int y) { return x∗y; } int neutral() { return 1; } } class Power { int exp; Binary op; Power(int exp,Binary op) { this.exp = exp; this.op = op; } int raise(int base) { int result = op.neutral(); int e = exp; while( e−− > 0 ) result = op.eval(result,base); return result; } }

Ran Ji KeY’10 100526 15 / 19

Control-Flow Graph (CFG)

(new Power(y, new Mult())).raise(x)

Ran Ji KeY’10 100526 16 / 19

Control-Flow Graph (CFG)

(new Power(y, new Mult())).raise(x) exp=y

• p=Mult
• p=Add ?

result =0 result =1 e=exp e>0 ?

• p=Add ?

result =result+x result =result∗x e=e−1 return result

Ran Ji KeY’10 100526 16 / 19

Symbolic Execution: Unwinding the CFG

exp=1

• p=Mult

Ran Ji KeY’10 100526 17 / 19

Symbolic Execution: Unwinding the CFG

exp=1

• p=Mult
• p=Add ?

Ran Ji KeY’10 100526 17 / 19

Symbolic Execution: Unwinding the CFG

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp

Ran Ji KeY’10 100526 17 / 19

Symbolic Execution: Unwinding the CFG

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

Ran Ji KeY’10 100526 17 / 19

Symbolic Execution: Unwinding the CFG

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x Ran Ji KeY’10 100526 17 / 19

Symbolic Execution: Unwinding the CFG

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x Ran Ji KeY’10 100526 17 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=exp e=exp e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=1 e=1 e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=1 e=1 e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult
• p=Add ?

rst=0 rst=1 e=1 e=1 e>0 ? e>0 ? return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

• p=Add ?
• p=Add ?

rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

Mult=Add ? rst=0 rst=1 e=1 e=1 e>0 ? e>0 ? return rst return rst Mult=Add ? Mult=Add ? rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

Mult=Add ? Mult=Add ? rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

Mult=Add ? Mult=Add ? rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=0 rst=1 e=1 e=1 e>0 ? e>0 ? return rst return rst false false rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e=e−1 e=e−1 e=e−1 e=e−1

e>0 ? e>0 ?

return rst return rst

false false rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x e>0 ? e>0 ?

return rst return rst

false false rst=rst+x rst=rst∗x rst=rst+x rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 e>0 ? return rst false rst=rst∗x e=e−1

e>0 ?

return rst

false rst=rst∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 e>0 ? return rst false rst=rst∗x e=e−1

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 e>0 ? return 1 false rst=1∗x e=e−1

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 e>0 ? return 1 false rst=x e=e−1

e>0 ?

return rst

false rst=rst∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 e>0 ? return 1 false rst=x e=e−1

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 1>0 ? return 1 false rst=x e=1−1

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true return 1 false rst=x e=0

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return rst

false rst=rst∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return rst

false rst=rst∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return x

false rst=x∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return x

false rst=x∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return x

false rst=x∗x Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

e>0 ?

return x

false rst=x∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

0>0 ?

return x

false rst=x∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

false

return x

false rst=x∗x

mix

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

exp=1

• p=Mult

false rst=1 e=1 true false rst=x e=0

false

return x

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

rst=x return x

Ran Ji KeY’10 100526 18 / 19

Interleaving Symbolic Execution and Partial Evaluation

rst=x return x result = x; return x;

Ran Ji KeY’10 100526 18 / 19

Summary

◮ SE and PE generalize computation in complementary ways ◮ One possibility to combine SE and PE:

Symbolic execution is boosted with partial evaluation

• Replace search (theorem proving) with computation (PE)
• Eliminate execution paths before they are symbolically executed
• Prototypic implementation in KeY with naive PE is promising

◮ Another possibility to combine SE and PE:

Implementing partial evaluator via symbolic execution

• Achieve binding time analysis (BTA) through computation (SE+PE)
• Sophisticated partial evaluator for Java
• Work in progress...

Ran Ji KeY’10 100526 19 / 19