Symbolic Execution - Summer School Marktoberdorf · l Path-based symbolic simulation ... ûNot helpful for “novel” bugs or new ways of ... = RPP_REQUIRE_TTY; ttyfd = open(_PATH_TTY);

Department of Computer Science

SymbolicExecution

Daniel Kroening, Marktoberdorf 2017

Overview

l SAT/SMT:enablingtechnologyl Over- vs.underapproximating staticanalysisl Path-basedsymbolicsimulationl Pathmerging


EnablingTechnology:SAT/SMT

0

200

400

600

800

1000

1200

0 20 40 60 80 100 120 140 160 180

CPU T

ime (

in s

eco

nds)

Number of problems solved

Results of the SAT competition/race winners on the SAT 2009 application benchmarks, 20mn timeout

200220032004200520062007200820092010201120122013


PropositionalSAT

• SATsolversacceptpropositionallogicintheformofCNFasinput

• Minisat,Picosat,andmanyothers• GenerallygoodideaforNP-hardproblems• Providesatisfyingassignment

• Also:incrementalsolvingandconflictvariables


Conflict-drivenClauseLearning

2.2 SAT Solvers 33

✄

✂

#

✁

Algorithm 2.2.1: CDCL-SAT

Input: A propositional CNF formula B

Output: “Satisfiable” if the formula is satisfiable and “Unsatisfiable”otherwise

1. function CDCL

2. while (true) do3. while (BCP() = “conflict”) do4. backtrack-level := Analyze-Conflict();5. if backtrack-level < 0 then return “Unsatisfiable”;6. BackTrack(backtrack-level);7. if ¬Decide() then return “Satisfiable”;

SAT

UNSAT

bl ≥ 0

BackTrack

Analyze-

ConflictBCP

bl < 0

all assigned

α

αDecide

conflict

Fig. 2.5. CDCL-SAT: high-level overview of the Conflict-Driven Clause-Learningalgorithm. The variable bl is the backtracking level, i.e., the decision level to whichthe procedure backtracks. α is an assignment (either partial or full)

at which it occurred. If a variable xi is assigned 1 (true) (owing to eithera decision or an implication) at decision level dl, we write xi@dl. Similarly,

✄

✂

#

✁xi@dl

¬xi@dl reflects an assignment of 0 (false) to this variable at decision leveldl. Where appropriate, we refer only to the truth assignment, omitting thedecision level, in order to make the notation simpler.

The process of BCP is best illustrated with an implication graph. Animplication graph represents the current partial assignment and the reasonfor each of the implications.

Definition 2.6 (implication graph). An implication graph is a labeled di-rected acyclic graph G(V,E), where:


SMT

• “SatisfiabilityModuloTheories”• Thisisafileformat(andAPI)forspecifyingformulastakenfromspecifictheories

• Uninterpreted functions• Rational/integerlineararithmetic• Arrays• Bit-vectors


DPLL(T)

• UsespropositionalSATsolverascentralcomponent

• Tightintegrationwiththeorysolvers• Z3,CVC,Boolector,MathSAT

• Bjørner willteachthisnextweek


DPLL(T)68 3 From Propositional to Quantifier-Free Theories

Analyze-Conflict UNSAT

Deduction AddClauses

α

t e(t)

Decide SAT

propagationTheory

BackTrack

T̂ h(α)

bl ≥ 0

bl < 0

all assigned

/ conflict

Nothingto

propagate,noconflict

α

α

BCPconflict

Fig. 3.3. The main components of DPLL(T ). Theory propagation is implementedin Deduction

theory T . Accordingly, this technique is known by the name theory propa-gation.

What are the requirements on these new clauses? As before, they have tobe implied by ϕ and are restricted to a finite set of atoms—typically to ϕ’satoms. It is desirable that, when T̂ h(α) is unsatisfiable, e(t) blocks α; it is notmandatory, because whether it blocks α or not does not affect correctness—Deduction only needs to be complete when α is a full assignment. CertainSMT solvers exploit this fact to perform cheap checks on partial assignments,e.g., bound the time dedicated to them. What if T̂ h(α) is satisfiable? Thenwe require t to fulfill one of the following two conditions in order to guaranteetermination:

1. The clause e(t) is an asserting clause under α (asserting clauses are definedin Sect. 2.2.3). This implies that the addition of e(t) to B and a call toBCP leads to an assignment to the encoder of some literal.

2. When Deduction cannot find an asserting clause t as defined above, tand e(t) are equivalent to true.

The second case occurs, for example, when all the Boolean variables are al-ready assigned, and thus the formula is found to be satisfiable. In this case,the condition in line 11 is met and the procedure continues from line 13, whereDecide is called again. Since all variables are already assigned, the procedurereturns “Satisfiable”.

Example 3.3. Consider once again the example of the two encoders e(x1 ≥10) and e(x1 < 0). After the first of these has been set to true, the procedure


Bit-VectorFlattening

• C/C++andJavausesemanticswithmodulararithmetic(i.e.,wrap-around)

• IntheSMTcontext:SMT-BV• Canbesolvedeffectivelywithflattening


Bit-VectorFlattening

• Thisisstraightforwardfor– Equality– Bit-wiseoperators(&,|,^)

• TransformationintoCNFisdoneusingTseitin’s encoding


FlatteningArithmeticFlattening Bit-Vector Arithmetic

How to flatten a+ b?

�! we can build a circuit that adds them!

FA

iba

so

Full Adder

s ⌘ (a+ b+ i ) mod 2 ⌘ a� b� i

o ⌘ (a+ b+ i ) div 2 ⌘ a · b+ a · i+ b · i

The full adder in CNF:

(a _ b _ ¬o) ^ (a _ ¬b _ i _ ¬o) ^ (a _ ¬b _ ¬i _ o)^(¬a _ b _ i _ ¬o) ^ (¬a _ b _ ¬i _ o) ^ (¬a _ ¬b _ o)

D. Kroening: Software Verification 28


FlatteningArithmeticFlattening Bit-Vector Arithmetic

Ok, this is good for one bit! How about more?

8-Bit ripple carry adder (RCA)

i

FA FA FA FA FA FA FA FA

a

7

b

7

a

6

b

6

a

5

b

5

a

4

b

4

a

3

b

3

a

2

b

2

a

1

b

1

a

0

b

0

o

s

7

s

6

s

5

s

4

s

3

s

2

s

1

s

0

I Also called carry chain adderI Adds l variablesI Adds 6 · l clauses



IncrementalFlattening

• Idea:add“easy”partsoftheformulafirst• Onlyaddhardpartswhenneeded• CNFonlygetsstronger– useanincrementalSATsolver


IncrementalFlatteningIncremental Flattening

?'f := 'sk , F := ;

?Is 'f SAT?

?No!

UNSAT

-Yes! compute I

?I = ;

SAT

6I 6= ;

Pick F

0 ✓ (I \ F )

F := F [ F

0

'f := 'f ^ CONSTRAINT(F )

�

'sk : Boolean part of 'F : set of terms that are in the encodingI: set of terms that are inconsistent with the current assignment



MoreReadingonSAT/SMT

• Bookondecisionprocedures(happytoemailPDFs)

• Armin’sHandbookonSAT


StaticAnalysis

l Gaininformationabouttheprogramwithoutrunning it

l Notestinputsneededl Betterhandleonnon-determinism,i.e.,thread-scheduleandinputdata


ApproximatingStaticAnalysis

l Theprecisebehaviourofprogramsisincrediblycomplex

l Staticanalysesthusapproximateprogrambehaviours

l Mostaimtoover-approximate


Over-ApproximatingStaticAnalysis

float A1[3] = { 1, 0.5179422053046, 1.0 };float b1[2] = { 1.470767736573, 0.5522073405779 };float A2[3] = { 1, 1.633101801841, 1.0 };float b2[2] = { 1.742319554830, 0.820939679242 };float D1[2], D2[2];float P, X;

void iir4(float *x, float *y) { float x1, y1, t1, t2;X1 = 0.0117749388721091 * *x;t1 = x1 + b1[0]*D1[0] - b1[1]*D1[1];y1 = A1[0]*t1 - A1[1]*D1[0] + A1[2]*D1[1];D1[1] = D1[0]; D1[0] = t1;t2 = y1 + b2[0]*D2[0] - b2[1]*D2[1];*y = A2[0]*t2 - A2[1]*D2[0] + A2[2]*D2[1];D2[1] = D2[0]; D2[0] = t2;

}

int main () {while (1) { X = input(); iir4(&X,&P); }

}

[ESOP 2005]



Keybenefit:üwhendoneright,onecanproveabsenceofcertainbugs

[ESOP 2005]



Keyproblems:ûApproximationisoftenhard-wiredto• particularkindsofbugsand• programconstructs

ûNothelpfulfor“novel”bugsornewwaysofdoingthings

ûFalsealarms!


FalseAlarms


[PLDI 2012]

const char * read_response(const char *prompt, int flags){

char *askpass = NULL, *ret = NULL, buf[1024];

int rppflags, use_askpass = 0, ttyfd;

rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;if (flags & RP_USE_ASKPASS)

use_askpass = 1;else if (flags & RP_ALLOW_STDIN) {

if (!isatty(STDIN_FILENO)) {debug("read_response: stdin is not a tty");use_askpass = 1;

}} else {

rppflags |= RPP_REQUIRE_TTY;ttyfd = open(_PATH_TTY);if (ttyfd >= 0)

close(ttyfd);else {

debug("read_response: can't open %s: %s", _PATH_TTY,strerror(errno));use_askpass = 1;

}}

if ((flags & RP_USE_ASKPASS) || !(ret = getenv("DISPLAY")))goto end;

if (use_askpass && getenv("DISPLAY")) {if (getenv(SSH_ASKPASS_ENV))

askpass = getenv(SSH_ASKPASS_ENV);else

askpass = _PATH_SSH_ASKPASS_DEFAULT;if ((ret = ssh_askpass(askpass, prompt)) == NULL)

if (!(flags & RP_ALLOW_EOF))return xstrdup("");

goto end;}

ret = xstrdup(buf);memset(buf, 'x', sizeof buf);end:return ret;

}

Symbolic Execution - Summer School Marktoberdorf · l Path-based symbolic simulation ... ûNot helpful for “novel” bugs or new ways of ... = RPP_REQUIRE_TTY; ttyfd = open(_PATH_TTY);

Documents