chapter 6
play

Chapter 6 Symbolic execution Course Model checking Volker Stolz, - PowerPoint PPT Presentation

Jan 11, 2023 •137 likes •621 views

Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn 2019 Section Targets Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn 2019 Chapter 6 Learning

  1. Chapter 6 Symbolic execution Course “Model checking” Volker Stolz, Martin Steffen Autumn 2019

  2. Section Targets Chapter 6 “Symbolic execution” Course “Model checking” Volker Stolz, Martin Steffen Autumn 2019

  3. Chapter 6 Learning Targets of Chapter “Symbolic execu- tion”. The chapter gives an not too deep introduction to symbolic execution and concolic execution.

  4. Chapter 6 Outline of Chapter “Symbolic execution”. Targets Introduction Testing and path coverage Symbolic execution Concolic testing

  5. Section Introduction Testing and path coverage Symbolic execution Concolic testing Chapter 6 “Symbolic execution” Course “Model checking” Volker Stolz, Martin Steffen Autumn 2019

  6. Introduction IN5110 – Verification and specification of parallel systems • symbolic execution: “old” technique [3] Targets • natural also in the context of testing Targets & Outline • concolic execution: extension Introduction Testing and path coverage • used also in compiler Symbolic execution Concolic testing • code generation • optimization 6-6

  7. Code example IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-7

  8. How to analyse a (simple) program like that? : IN5110 – Verification and specification of parallel systems • testing Targets Targets & Outline • “verification” (whatever that means) Introduction • could include code review Testing and path coverage Symbolic execution • model-checking? Hm? Concolic testing • symbolic and concolic execution (see later) 6-8

  9. Testing • maybe the most used method for ensuring software (and system) “quality” • broad field IN5110 – Verification and • many different testing goals, techniques specification of parallel systems • also used in combination, in different phases of software engineering cycle • here: focus on Targets Targets & Outline “white-box” testing Introduction Testing and path coverage • AKA structural testing Symbolic execution Concolic testing • program code available (resp. CFG) • also focus: unit testing Goals • detect errors • check corner cases 6-9 • provide high (code) coverage

  10. (Code) coverage • note: typically a non-concurrent setting (unit testing) IN5110 – Verification and • different coverage criteria specification of parallel systems • nodes • edges, conditions • combinations thereof Targets • path coverage Targets & Outline Introduction • defined to answer the question Testing and path coverage Symbolic execution Concolic testing When have I tested “enough”? path coverage • ambitious to impossible (loops) • note: still not all reachable states , i.e., not verified yet 6-10

  11. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  12. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  13. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  14. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  15. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  16. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing • 3 possible exec. path • corresponding path conditions • “optimal”: cover all path • find input set to run program covering all those paths 6-11

  17. Random testing IN5110 – Verification and specification of parallel systems • most naive way of testing • generating random inputs Targets Targets & Outline • concrete input values Introduction • dynamic executions of programs Testing and path coverage Symbolic execution Concolic testing • observe actual behavior and • compare it agains expected behavior 6-12

  18. Random testing • different inputs, different paths • maybe IN5110 – Verification and • ( x, y ) = (700 , 500) specification of parallel systems • ( x, y ) = ( − 700 , 500) • . . . Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-13

  19. Random testing • different inputs, different paths IN5110 – • maybe Verification and specification of • ( x, y ) = (700 , 500) parallel systems • ( x, y ) = ( − 700 , 500) • . . . Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-13

  20. One path so far missed IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-14

  21. How to get that path (or others)? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • maybe: ( x, y ) = (145 , 10) Concolic testing • by chance: very low probability to randomly get y = 10 • path condition 6-15

  22. How to get that path (or others)? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • maybe: ( x, y ) = (145 , 10) Concolic testing • by chance: very low probability to randomly get y = 10 Symbolic representation x > 0 ∧ y = 10 • path condition 6-15

  23. Symbolic execution IN5110 – Verification and specification of parallel systems • symbols instead of concrete value Targets Targets & Outline • use if path conditions, aka path constraints Introduction • cf. connection to SAT and SMT Testing and path coverage Symbolic execution • constraint solver computes real values Concolic testing 6-16

  24. Simple example IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • in the code: assignments not equations ( y := Concolic testing read() ) • introduce variable s for read() • assignments • y := read() ⇒ y = s • y := 2*y ⇒ y = 2 s • branching point in line 4 • right: 2 s = 12 • left: 2 s � = 12 6-17

  25. Which input leads to the error? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Constraint solver Introduction Testing and path coverage Symbolic execution Concolic testing Solve the path constraint 2 s = 12 • child’s play: the solution is s = 6 • but: requires solver that can do “arithmetic”, including multiplication 6-18

  26. In summary Symbolic execution for dummies IN5110 – Verification and specification of • take the code (resp. the CFG of the code) parallel systems • collect all paths into path conditions • big conjunctions of all conditions along each the path Targets • each condition b will have Targets & Outline • one positive mention b in one continuation of the path Introduction • one negated mention ¬ b in the other continuation Testing and path coverage Symbolic execution • solve the constraints for paths leading to errors with an Concolic testing approriate SMT solver • works best for loop-free program • cf. also SSA • but there is another problem as well (see next) 6-19

  27. How about the program we started with? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-20

  28. Complex condition x 3 IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • non-linear constraint Concolic testing • in general undecidable • most constraint solvers throw the towel • for instance: execution stops, no path covered 6-21

  29. What can one do? IN5110 – Verification and specification of parallel systems what can one do (beyond accepting the SE won’t cover all path)? Targets • “static analysis”: abstracting Targets & Outline • cover both path approximately Introduction • theorem proving? one cannot sell that to testers Testing and path coverage Symbolic execution Concolic testing Concolic testing Concrete & Symbolic = “concolic” 6-22

  30. Concolic testing IN5110 – Verification and specification of parallel systems • here following DART • combination of two techniques Targets Targets & Outline Random testing Symbolic execution Introduction Testing and path coverage • concrete values • symbols, variables Symbolic execution Concolic testing • dynamic execution • static analysis • other name: Dynamic symbolic execution (DSE) 6-23

Recommend

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is this? Uncertainty Chapter 13 4 Outline Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule

688 views • 37 slides
Major Themes of 7-12 the horror of human evil, particularly as it is concentrated in the state

Major Themes of 7-12 the horror of human evil, particularly as it is concentrated in the state

Chapter 2Nebuchadnezzars Dream Chapter 3Blazing Furnace Chapter 4Nebuchadnezzar worships God Chapter 5Belshazzar mocks God Chapter 6Lions Chapter 7Daniels Dream Questions: What will we do with

488 views • 13 slides
Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13

Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13

Date Chapter 11/6/2006 Chapter 10, start Chapter 11 Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13 Exception Handling 12/4/2006 Final Exam Using try and catch Blocks 12/11/2006 Project Due

197 views • 18 slides
Understanding 353 & the Chapter 353 Downtown Project What is Chapter 353? Chapter 353 tax

Understanding 353 & the Chapter 353 Downtown Project What is Chapter 353? Chapter 353 tax

Understanding 353 & the Chapter 353 Downtown Project What is Chapter 353? Chapter 353 tax abatement is an incentive allowed by Missouri law to encourage the redevelopment of blighted areas through the abatement of real property taxes.

763 views • 22 slides
Appendix A Chapter 9 versus Chapter 1 1 at a Glance Chapter 9 Chapter 1 1 ( I n) voluntary Cannot

Appendix A Chapter 9 versus Chapter 1 1 at a Glance Chapter 9 Chapter 1 1 ( I n) voluntary Cannot

Appendix A Chapter 9 versus Chapter 1 1 at a Glance Chapter 9 Chapter 1 1 ( I n) voluntary Cannot be involuntary filing. Voluntary or Involuntary. Bankruptcy Chief Judge of the Court of Appeals for the Automatic assignment. Judge Circuit

495 views • 4 slides
THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending

THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending

THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending the ER model Created to design more accurate database schemas Reflect the data properties and constraints more precisely Address more

398 views • 14 slides
Uncertainty Chapter 13 1 Chapter 13 4 What is this? Outline Uncertainty Probability

Uncertainty Chapter 13 1 Chapter 13 4 What is this? Outline Uncertainty Probability

What is this? Chapter 13 Uncertainty Chapter 13 1 Chapter 13 4 What is this? Outline Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule Chapter 13 2 Chapter 13 5 What is this?

532 views • 7 slides
For Tuesday Read chapter 7 Homework: Chapter 4, exercise 1 Chapter 5, exercise 9

For Tuesday Read chapter 7 Homework: Chapter 4, exercise 1 Chapter 5, exercise 9

For Tuesday Read chapter 7 Homework: Chapter 4, exercise 1 Chapter 5, exercise 9 Program 1 Any questions? Discussion Assignment Local Beam Search Variant of hill-climbing where multiple states and successors are

363 views • 22 slides
Chapter: 14 14 14 14 Chapter: Chapter: Chapter: LTE radio access: LTE radio access: An

Chapter: 14 14 14 14 Chapter: Chapter: Chapter: LTE radio access: LTE radio access: An

3G Evolution 3G Evolution 3G Evolution 3G Evolution Chapter: 14 14 14 14 Chapter: Chapter: Chapter: LTE radio access: LTE radio access: An overview Deepak Dasalukunte Department of Electrical and Information Technology 29-Apr-2009 3G

262 views • 11 slides
OWASP London Chapter Meeting 23rd November 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 23rd November 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 23rd November 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon

424 views • 29 slides
OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon &

564 views • 32 slides
OWASP London Chapter Meeting 28th September 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 28th September 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 28th September 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon

381 views • 35 slides
For Tuesday Read chapter 12, sections 1-4 Homework: Chapter 10, exercise 9 Chapter

For Tuesday Read chapter 12, sections 1-4 Homework: Chapter 10, exercise 9 Chapter

For Tuesday Read chapter 12, sections 1-4 Homework: Chapter 10, exercise 9 Chapter 13, exercise 8 Program 2 Any questions? Due Friday night Constructing the planning graph Level P 1 : all literals from the initial state

844 views • 41 slides
Efficient Capital Markets (ECM) (Welch, Chapter 12) Ivo Welch Excursion Chapter This chapter

Efficient Capital Markets (ECM) (Welch, Chapter 12) Ivo Welch Excursion Chapter This chapter

Efficient Capital Markets (ECM) (Welch, Chapter 12) Ivo Welch Excursion Chapter This chapter covers a lot of closely related phenomena, . . . but only briefly for lack of time. Making Sense All reasonable financial models impose the belief

982 views • 80 slides
Introduction 1.1 Legal background This series of lectures lecture has been prepared using the

Introduction 1.1 Legal background This series of lectures lecture has been prepared using the

AAT Tax Update 2014 Chapter 1 Introduction Chapter 2 Budget round-up - overview of key announcements - particular interest/ importance Personal tax Income tax, NICs, tax allowances etc Chapter 3 Chapter 4 Business tax review - MIP/SME

1.23k views • 74 slides
A.I.S. Class 17: Outline Learning Objectives for Chapter 10 Chapter 10 Quiz Chapter 10

A.I.S. Class 17: Outline Learning Objectives for Chapter 10 Chapter 10 Quiz Chapter 10

A.I.S. Class 17: Outline Learning Objectives for Chapter 10 Chapter 10 Quiz Chapter 10 Highlights Group Projects Group Work for Chapter 10 College Computing Dr. Peter R Gillett November 1, 2006 1 Learning Objectives for

564 views • 21 slides
OVERVIEW OF CHAPTER 40B FUNDAMENTALS The Next Chapter of 40B: A Training on the Latest

OVERVIEW OF CHAPTER 40B FUNDAMENTALS The Next Chapter of 40B: A Training on the Latest

OVERVIEW OF CHAPTER 40B FUNDAMENTALS The Next Chapter of 40B: A Training on the Latest Developments in the Affordable Housing Law Fall 2011 Presented by CPTC In Cooperation with CHAPA Introduction to 40B l History of Chapter 40B l 2008

352 views • 20 slides
Constraint Satisfaction Problem s C t i t S ti f ti P bl Reading: Chapter 6 (3 rd ed );

Constraint Satisfaction Problem s C t i t S ti f ti P bl Reading: Chapter 6 (3 rd ed );

Constraint Satisfaction Problem s C t i t S ti f ti P bl Reading: Chapter 6 (3 rd ed ); Chapter 5 (2 nd ed ) Chapter 6 (3 ed.); Chapter 5 (2 ed.) For next week: Tuesday: Chapter 7 Tuesday: Chapter 7 Thursday: Chapter 8 Outline

788 views • 77 slides
Bayesia n net wor k s Chapter 14.1 3 Extracted from :

Bayesia n net wor k s Chapter 14.1 3 Extracted from :

Bayesia n net wor k s Chapter 14.1 3 Extracted from : http://aima.eecs.berkeley.edu/slides-pdf/chapter14a.pdf Chapter 14.1 1 3 Outline Syntax Semantics Parameterized distributions Chapter 14.1 2 3 B ayesian

650 views • 17 slides
Chapter 3 Chapter 3 Data Description McGraw-Hill, Bluman, 7 th ed, Chapter 3 1 Ch Chapter 3

Chapter 3 Chapter 3 Data Description McGraw-Hill, Bluman, 7 th ed, Chapter 3 1 Ch Chapter 3

Chapter 3 Chapter 3 Data Description McGraw-Hill, Bluman, 7 th ed, Chapter 3 1 Ch Chapter 3 Overview t 3 O i Introduction Introduction 3-1 Measures of Central Tendency 3-2 Measures of Variation 3-3 Measures of Position 3

892 views • 87 slides
Announcements Labs resume this Wednesday (11/29 ) with Chapter 6AB Chapter 5 postlab

Announcements Labs resume this Wednesday (11/29 ) with Chapter 6AB Chapter 5 postlab

Announcements Labs resume this Wednesday (11/29 ) with Chapter 6AB Chapter 5 postlab writeups are due at the beginning of your Chapter 6AB lab Blackboard announcement and material for k cat calculation Your chapter 6AB

455 views • 20 slides
Chapter 1 BILEXICAL GRAMMARS AND THEIR CUBIC-TIME PARSING ALGORITHMS Jason Eisner Dept. of

Chapter 1 BILEXICAL GRAMMARS AND THEIR CUBIC-TIME PARSING ALGORITHMS Jason Eisner Dept. of

In Harry C. Bunt and Anton Nijholt (eds.), Advances in Probabilistic and Other Parsing Technologies , Chapter 3, pp. 29-62. 2000 Kluwer Academic c Publishers. [ Text of this preprint may differ slightly, as do chapter/page nos. ] Chapter 1

456 views • 33 slides
Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 Inheritance Concepts

Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 Inheritance Concepts

Date Chapter 11/6/2006 Chapter 10, start Chapter 11 Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 Inheritance Concepts 11/27/2006 Chapter 13 12/4/2006 Final Exam Inheritance Design 12/11/2006 Project Due

510 views • 19 slides
T C S AB BL LE E O OF F ON NT TE EN NT TS Chapter 5

T C S AB BL LE E O OF F ON NT TE EN NT TS Chapter 5

Chapter 5 Wing Design Mohammad Sadraey Daniel Webster College T A C O T C S AB BL LE E O OF F ON NT TE EN NT TS Chapter 5

1.44k views • 111 slides

More recommend