1

Program Analysis viaSatisfiability Modulo Path Programs

William Harris, Sriram Sankaranarayanan,Franjo Ivančić, Aarti Gupta

POPL 2010

2

Assertions as Specifications

• Lightweight

• Often automatic from semantics– Null-pointer dereferences– Buffer overflows

3

proc. foo(int* p, int pLen, int mode)assume (pLen > 1);int off, L := 1, bLen := 0;if (p = NULL) pLen := -1;if (mode = 0)

off := 1;else

off := 0;while (L <= pLen)

bLen := L – off;L := 2 * L;

assert(!p || bLen <= pLen);

4

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

… Æ p = 0 Æ pLen = -1

… Æ p = 0 Æ mode = 0

… Æ p = 0… Æ p =

0

False

Path Program:Left Branch, Left Branch

... Æ p = 0

L <= pLenbLen := L – offL := L * 2

5

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

… Æ p = 0

… Æ p = 0 Æ mode 0

… Æ p = 0… Æ p =

0

False

Path Program:Left Branch, Right Branch

… Æ p = 0

L <= pLenbLen := L – offL := L * 2

6

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

L = 1 Æ bLen = 0 Æ pLen ¸ 1

L = 1 Æ bLen = 0 Æ pLen ¸ 1

bLen · pLenbLen · pLen

False

Path Program:Right Branch, Left Branch

L <= pLenbLen := L – offL := L * 2

7

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

L = 1 Æ bLen = 0 Æ p 0

L = 1 Æ bLen = 0Æ pLen ¸ 1

bLen · pLenbLen · pLen

False

Path Program:Right Branch, Right Branch

L <= pLenbLen := L – offL := L * 2

L := 1bLen := 0pLen >= 1

p != 0

mode != 0

off := 1

L > pLen

p != 0&& bLen > pLen

bLen · pLen

False 8

bLen · pLen

bLen · pLen

bLen · pLenbLen · pLen

Control-FlowAbstraction

p != 0&& bLen > pLen

L := 1bLen := 0pLen >= 1

L <= pLenbLen := L – offL := L * 2

9

Key Issues

Need:• abstraction• refinementthat allow us to analyze a small set of path

programs, generalize proofs.

10

Road Map

• Satisfiability Modulo Path Programs (SMPP)

• Experimental Evaluation

11

Abstraction

1. Encode unproven path programs as propositional formula.

2. Query SAT solver for solution.

3. From the solution, extract an unverified path program.

q0

q1

q9

q8

q7q6

q5q4

q3

q2

Propositional Variablesfor Edges

13

CFG Form Depiction Encoding

entry edges

error edges

Encoding Path Programs

q0

q0 = True

q9 q9 = True

14

Encoding Path Programs

q4

q3

q5

q3 ! exactlyOne(q4, q5)q2 ! exactlyOne(q4, q5)

q4 ! exactlyOne(q3, q2)q5 ! exactlyOne(q3, q2)

q2

15

Initial Abstraction of Example

q0

Æ q0 $ exactlyOne(q1, q2)Æ q1 $ q3

Æ exactlyOne(q3, q2) $ exactlyOne(q4, q5)Æ (q4 $ q6) Æ (q5 $ q7)Æ exactlyOne(q6, q7) $ q8

Æ q8 $ q9

Æ q9

q0

Æ q0 $ exactlyOne(q1, q2) Æ q1 $ q3

Æ exactlyOne(q3, q2) $ exactlyOne(q4, q5) Æ (q4 $ q6) Æ (q5 $ q7) Æ exactlyOne(q6, q7) $ q8

Æ q8 $ q9

Æ q9

¤ :=

q0

q1

q9

q8

q7q6

q5q4

q3

q2

16

A Path Program froma SAT Solution q0

q2

q5

q7

q8

q9

17

Refinement

• Apply program analysis oracle to determine safety of path program

• If safe, then encode safety in the abstraction

18

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L <= pLenbLen := L – offL := L * 2

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

L = 1 Æ bLen = 0 Æ p 0

L = 1 Æ bLen = 0Æ pLen ¸ 1

bLen · pLenbLen · pLen

False

Apply Analysis Oracle: Naïve

19

Prop. Encoding:Naïve

q6

q9

q1

q7

q4 q5

q3

q2

q0

q8

20

Naïve Blocking Clause

¤ := ¤ Æ : (q0 Æ q2 Æ q5 Æ q7 Æ q8 Æ q9)

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLenP != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

bLen · pLenÆ off = 1

False21

L <= pLenbLen := L – offL := L * 2

Apply Analysis Oracle:Local Repair

L = 1 Æ bLen = 0 Æ pLen ¸ 1 Æ p 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1Æ p 0 Æ mode 0

bLen · pLenÆ off = 1

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLenp != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

L = 1 Æ bLen = 0 Æ pLen ¸ 1 Æ p 0

bLen · pLenÆ off = 1

bLen · pLen Æ off = 1

False

L = 1 Æ bLen = 0 Æ pLen ¸ 1

bLen · pLen

bLen · pLen

L = 1 Æ bLen = 0 Æ pLen ¸ 1Æ p 0 Æ Mode 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

22

Apply Analysis Oracle: Local Repair

L := 1bLen := 0pLen >= 1

p != 0&& bLen > pLen

pLen := -1

L <= pLenbLen := L – offL := L * 2

23

Prop. Encoding:Local Repair q0

q1

q2

q3

q4 q5

q6 q7

q8

q9

24

Blocking Clause

(: (q0 Æ q9) Ç q3): (q0 Æ q2 Æ q5 Æ q7 Æ q8 Æ q9)

¤ := ¤ Æ

with Local Repair

25

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

… Æ p = 0 Æ pLen = -1

… Æ p = 0 Æ mode = 0

… Æ p = 0… Æ p =

0

False

One MorePath Program Suffices

... Æ p = 0

p != 0&& bLen > pLen

p = 0

L <= pLenbLen := L – offL := L * 2

26

Experiments

27

Zitser Benchmarks

• Real world programs:– wu-ftpd– bind– sendmail

• Checked for buffer overflow bugs• BLAST proves more properties on average• SMPP completes faster (>100x)

28

Larger Benchmarks

• Real-world programs:– thttpd– ssh-server– xvidcore

• Checked function pre, post conditions for buffer accesses

• SMPP proved ~35% of thousands of properties

29

Conclusion

• SMPP uses a symbolic abstraction refinement scheme for control-flow.

• SMPP is slightly coarser than predicate abstraction, but converges much faster.

30

Questions?

L := 1bLen := 0pLen >= 1

p != 0

mode != 0

off := 1L > pLen

p != 0&& bLen > pLen

bLen · pLen

False

bLen · pLen

bLen · pLen

bLen · pLen

bLen · pLen

: (bLen · pLen)

: (bLen · pLen)

: (bLen · pLen)

: (bLen · pLen)

: (bLen · pLen)

Predicate Abstraction

L <= pLenbLen := L – offL := L * 2

32

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

L = 1 Æ bLen = 0 Æ p 0

L = 1 Æ bLen = 0Æ pLen ¸ 1

bLen · pLenbLen · pLen

False

SMPP: Path Program 1 L := 1bLen := 0pLen >= 1

p != 0&& bLen > pLen

pLen := -1

L <= pLenbLen := L – offL := L * 2

33

L := 1bLen := 0pLen >= 1

p = 0

pLen := -1

p != 0

mode != 0

off := 0 off := 1

L > pLen

p != 0&& bLen > pLen

mode = 0

L = 1 Æ bLen = 0 Æ pLen ¸ 1

… Æ p = 0 Æ pLen = -1

… Æ p = 0 Æ mode = 0

… Æ p = 0… Æ p =

0

False

SMPP: Path Program 2

... Æ p = 0

p != 0&& bLen > pLen

p = 0

L <= pLenbLen := L – offL := L * 2

34

Problem StatementSMT

Given a determinedisjunctive formula satisfiabilityusing theory solvers for conjunctive formulas.

SMPP

branching program safetyanalyses path programs.

35

Key Analog

• Abstraction using a propositional encoding

• Refinement using blocking clauses conjoined to abstraction