cse507
play

CSE507 Computer-Aided Reasoning for Software Symbolic Execution - PowerPoint PPT Presentation

Feb 14, 2023 •393 likes •851 views

CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Bounded verification: forward VCG for finitized programs 2

  1. CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu

  2. Today 2

  3. Today Last lecture • Bounded verification: forward VCG for finitized programs 2

  4. Today Last lecture • Bounded verification: forward VCG for finitized programs Today • Symbolic execution: a path-based translation • Concolic testing 2

  5. The spectrum of program validation tools Static Analysis Verification Extended Static Bounded Verification Confidence Checking & Symbolic Execution Concolic Testing & Whitebox Fuzzing Ad-hoc Testing Cost (programmer effort, time, expertise) 3

  6. The spectrum of program validation tools Static Analysis Verification Extended Static Bounded Verification Confidence Checking & Symbolic Execution E.g., JPF, Klee Concolic Testing & Whitebox Fuzzing E.g., SAGE, Pex, CUTE, DART Ad-hoc Testing Cost (programmer effort, time, expertise) 3

  7. Symbolic execution 1976: A system to generate test data and symbolically execute programs (Lori Clarke) 1976: Symbolic execution and program testing (James King) 2005-present: practical symbolic execution • Using SMT solvers • Heuristics to control exponential explosion • Heap modeling and reasoning about pointers • Environment modeling • Dealing with solver limitations 4

  8. Classic symbolic execution def f (x, y): if (x > y): x = x + y y = x - y x = x - y if (x - y > 0): assert false return (x, y) 5

  9. Classic symbolic execution def f (x, y): if (x > y): x = x + y y = x - y x = x - y if (x - y > 0): assert false return (x, y) Execute the program on symbolic values . 5

  10. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): if (x > y): x = x + y y = x - y x = x - y if (x - y > 0): assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. 5

  11. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ Y if (x > y): x = x + y x ↦ X y = x - y y ↦ Y x = x - y if (x - y > 0): assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. 5

  12. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ Y if (x > y): x = x + y x ↦ X y = x - y y ↦ Y x = x - y if (x - y > 0): feasible assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  13. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): feasible assert false return (x, y) Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  14. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . Symbolic state maps variables to symbolic values. Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  15. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far. All paths in the program form its execution tree , in which some paths are feasible and some are infeasible . 5

  16. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 decisions taken so far. x ↦ Y All paths in the program form its execution tree , y ↦ X in which some paths are feasible and some are infeasible . 5

  17. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 decisions taken so far. x ↦ Y All paths in the program form its execution tree , y ↦ X in which some paths are feasible and some are infeasible . feasible 5

  18. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 Y - X > 0 decisions taken so far. x ↦ Y x ↦ Y All paths in the program form its execution tree , y ↦ X y ↦ X in which some paths are feasible and some are infeasible . feasible 5

  19. Classic symbolic execution x ↦ X y ↦ Y def f (x, y): X ≤ X > Y Y if (x > y): x = x + y x ↦ X + x ↦ X Y y = x - y y ↦ Y y ↦ Y x = x - y if (x - y > 0): true feasible assert false x ↦ X + Y return (x, y) y ↦ X Execute the program on symbolic values . true Symbolic state maps variables to symbolic values. x ↦ Y y ↦ X Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch Y - X ≤ 0 Y - X > 0 decisions taken so far. x ↦ Y x ↦ Y All paths in the program form its execution tree , y ↦ X y ↦ X in which some paths are feasible and some are infeasible . infeasible feasible 5

  20. Classic symbolic execution: practical issues 6

  21. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees 6

  22. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths 6

  23. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers 6

  24. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers Solver limitations: dealing with complex PCs 6

  25. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers Solver limitations: dealing with complex PCs Environment modeling: dealing with native / system / library calls 6

  26. Classic symbolic execution: practical issues Loops and recursion: infinite execution trees Path explosion: exponentially many paths Heap modeling: symbolic data structures and pointers Solver limitations: dealing with complex PCs Environment modeling: dealing with native / system / library calls 6

  27. Loops and recursion Dealing with infinite execution trees: • Finitize paths by limiting the size of PCs (bounded verification) • Use loop invariants (verification) 7

  28. Loops and recursion Dealing with infinite execution trees: • Finitize paths by limiting the size of PCs (bounded verification) • Use loop invariants (verification) init; while (C) { I B; } assert P; 7

  29. Loops and recursion Dealing with infinite execution trees: • Finitize paths by limiting the size of PCs (bounded verification) • Use loop invariants (verification) init; assert I; makeSymbolic(targets(B)); init; assume I; while (C) { if (C) { I B; B; } assert I; assert P; } else assert P; 7

  30. Path explosion Achieving good coverage in the presence of exponentially many paths: • Select next branch at random • Select next branch based on coverage • Interleave symbolic execution with random testing 8

Recommend

CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture The DPPL(T) framework for deciding quantifier-free SMT

986 views • 69 slides
CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Full functional verification with Dafny, Boogie, and Z3 2

809 views • 54 slides
CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today Last lecture Angelic nondeterminism and execution Today Program synthesis:

645 views • 15 slides
CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Symbolic execution and concolic testing 2 Today Last lecture

776 views • 62 slides
CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Program synthesis 2 Today Last lecture Program

1.77k views • 127 slides
CSE507 Computer-Aided Reasoning for Software Model Checking II

CSE507 Computer-Aided Reasoning for Software Model Checking II

CSE507 Computer-Aided Reasoning for Software Model Checking II courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Model checking basics 2 Today Last lecture Model

831 views • 55 slides

More recommend