Post on 04-Jan-2020
Test Case Generation for Heap Inputs using
Separation Logic
Quang Loc Le
A joint work with many collaborators
NII Shonan Meeting Seminar 100, Japan
Oct 2, 2017
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 1 / 34
Test Case Generation for Heap Inputs
Input: a Java program and its Precondition
Output: Valid test cases
Goal: high coverage
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 2 / 34
Test Case Generation for Heap Inputs
Approach: Symbolic Execution
Path condition
Branching
SAT solver
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 3 / 34
Test Case Generation for Heap Inputs
Symbolic Execution with Lazy Initialization
JPF - 2003: Assign values to heap inputs on demand1 x ← null
2 x ← currentObj
3 x ← newObj
BBE - 2004: with repOK
JBSE - 2015: with HEX logical precondition
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 4 / 34
Test Case Generation for Heap Inputs
Symbolic Execution with Lazy Initialization
JPF - 2003
BBE - 2004
JBSE - 2015: with logical precondition for validation
only regular shape
no pure propertiesbounded - unsound SAT for induction
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 5 / 34
Test Case Generation for Heap Inputs
Symbolic Execution
Lazy Initialization with Least Fixed Point
SAT solver with induction reasoning
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 6 / 34
Add two numbers represented by linked lists
pred list pair(a,b) ≡ emp ∧ a = null ∧ b = null
∨ ∃n1,n2.a 7→Node( ,n1) ∗ b 7→Node( ,n2) ∗ list pair(n1,n2)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 7 / 34
Add two numbers represented by linked lists
Input:
Program
Node add(Node x, Node y){Node dummyHead = new Node(0,null);Node z = dummyHead;while(x != null) {z.next = new Node(x.next+ y.next,null);x = x.next;y = y.next; z = z.next; }return dummyHead.next; }
Precondition
list pair(x , y)
Output: Test Cases
X=null ∧ Y=nullX 7→Node( ,null) ∗ Y 7→Node( ,null)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 8 / 34
Add two numbers represented by linked lists
1 Node add(Node x, Node y){2 Node dummyHead = new Node(0,null);3 Node z = dummyHead;4 while(x != null) {5 z.next = new Node(x.next+ y.next,null);6 x = x.next;7 y = y.next; z = z.next; }8 return dummyHead.next; }
pc : ∃D,Z .list pair(X ,Y ) ∗ D 7→Node( ,null) ∧ Z=D
pc : ∃D,Z .(X=null ∧ Y=null) ∗ D 7→Node( ,null) ∧ Z=D
pc : ∃D,Z ,N1,N2.X 7→Node( ,N1) ∗ Y 7→Node( ,N2) ∗ list pair(X ,Y )∗D 7→Node( ,null) ∧ Z=D
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 9 / 34
Experimental Results
benchmarks: 74 methods - Singly Linked List, Doubly Linked List,
Stack, Binary Search Tree, and Red Black Tree from SIR; AVL
Tree and AA Tree from Sierum/Kiasan, and Gantt project from
SUSHI (ISSTA 2017).
Valid Test: BBE (8.14%), JBSE (0.72%), ours (100%)
Coverage: BBE (38.01%), JBSE (33.23%), ours (99.1%)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 10 / 34
1 Program Testing
2 SAT Solver
Syntax
Problem
Decidable Fragment
3 Conclusion
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 11 / 34
A fragment of Separation Logic
Formula Φ ::= ∆ | Φ1 ∨ Φ2 ∆ ::= ∃v̄ . (κ∧π)Spatial formula κ ::= emp | x 7→c(vi) | P(v̄) | κ1∗κ2
Pure formula π ::= π1∧π2 | α | φ
α: Pointer (Dis)Equalities
φ: Presburger arithmetic
P: inductive predicate. Predicate Definition: P(̄t) ≡ Φ
Warning: no pointer arithmetic and no magic wand
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 12 / 34
Satisfiability Problem
Input: A formula ∆ in the fragment
Question: Is ∆ satisfiable?
Challenges:
Unbounded heaps
Infinite numerical domain
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 13 / 34
Proof by Induction
Base case
Induction case
Cyclic Proof (J. Brotherston - UCL, J.
Jaffa et. al. - NUS)
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
Weaken ∆32 to ∆′32
Find σ s.t. ∆′32σ ⇒ ∆12
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 14 / 34
Cyclic Proof
From Entailment Problem (∆a⊢∆c) to Satisfiability Problem
(∆a⊢false )
Shape and Integer domains
link back simultaneously (CAV 2016)
Shape then Integer (CAV 2017)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 15 / 34
Our Approach - CAV 2017
Decision Procedure: Base Computation
Compute for each inductive predicate a finite representation that
precisely characterises its satisfiability.
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 16 / 34
Base of Inductive Predicate: Example 1
Inductive predicate: Singly-linked list with size property
pred ll size(root,n) ≡ emp∧root=null∧n=0
∨ ∃ r ,n1· root7→node( ,r) ∗ ll size(r ,n1) ∧ n=n1+1
Example:
baseP(ll size(root,n))≡{emp∧root=null∧n=0,root7→node( , )∧n>0}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 17 / 34
Projections
Inductive predicate: Singly-linked list with size property
pred ll size(root,n) ≡ emp∧root=null∧n=0
∨ ∃ r ,n1· root7→node( ,r) ∗ ll size(r ,n1) ∧ n=n1+1
Spatial projection
ll sizeS(root) ≡ emp ∧ root=null
∨ ∃ r · root7→nodeS(r)∗ll sizeS(r)
Numerical projection
ll sizeN(n) ≡ n=0
∨ ∃ n1· ll sizeN(n1)∧n=n1+1
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 18 / 34
Phase 1: Cyclic Tree for Spatial projection
ll sizeS(root) ≡ emp ∧ root=null
∨ ∃ r · root7→nodeS(r)∗ll sizeS(r)
∆0 ≡ ll sizeS(root)∆1 ≡ emp ∧ root=null
∆2 ≡ ∃ r · root7→nodeS(r)∗ll sizeS(r)
∆0
∆1 ∆2
{emp∧root=null,root7→node( , )}
Why not continue unfolding?
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 19 / 34
Foundation of Base Computation
For each formula, eliminating existentially quantified pointer-typed
variables produces an equi-satisfiable formula.
Example: ∆2 ≡ ∃ r · root7→nodeS(r)∗ll sizeS(r)is equi-satisfiable with
∆b2 ≡ ∃ r · root7→nodeS(r)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 20 / 34
Phase 2: Cyclic Tree for Numeric projection
ll sizeN(n) ≡ n=0
∨ ∃ n1· ll sizeN(n1)∧n=n1+1
Cyclic Tree for Numeric Projection is the same unfolding pattern to the
one for Spatial Projection
π0 ≡ ll sizeN(n)π1 ≡ n=0
π2 ≡ ∃ n1· ll sizeN(n1)∧n=n1 + 1
π0
π1 π2
{n=0,n>0}find closure form of ll sizeN(n1).
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 21 / 34
Base Computation
Finite Representation: Base Formula (without inductive predicates)
Combining empty heap (emp), points-to (7→), spatial conjunction
(∗) and Presburger Arithmetic
Example:
SAT ∆1≡emp∧x=null∧n=0
UNSAT ∆2≡x 7→node(n,y) ∗ y 7→node(n−1,null)∧x=y
The fragment of base formulas is decidable
(Piskac, Wies and Zufferey - CAV 2013, Navarro and Rybalchenko
- APLAS 2013)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 22 / 34
Base Computation
Given an inductive predicate P(x̄)≡Φ,
1 Construct a cyclic unfolding tree for ∆0 ≡ P(x̄)
2 Flatten the tree into a disjunctive set of base formulas
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
∆0
∆11 ∆b31
∆21 ∆22
baseP(P(x̄))≡{∆21,∆b
31}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 23 / 34
Constructing Cyclic Unfolding Tree
Given an inductive predicate P(x̄)≡Φ, construct a unfolding tree for
∆0≡P(x̄) through iterations of actions:
1 Choose a (open) leaf, close it ifit can be reduced into a base formula.
a base formula
a formula in which pointer-typed parameters of every inductive
predicates are existentially quantified.
its over-approximation is unsat.
can be linked back to form a circular path.
2 Otherwise, unfold it.
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 24 / 34
Example 2: Constructing Cyclic Unfolding Tree
pred Q(x ,y ,n) ≡ ∃ y1.x 7→node(null,y1)∧y=null∧x 6=null∧n=1
∨ ∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2;
∆0 ≡ Q(x ,y ,n)
1 Base Detection. None
2 Over-Approximation. π0 ≡ true .
Not UNSAT
3 Cyclic Detection. None
∆0
Figure : Unfolding Tree T0.
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 25 / 34
Example 2: Constructing Cyclic Unfolding Tree
pred Q(x ,y ,n) ≡ ∃ y1.x 7→node(null,y1)∧y=null∧x 6=null∧n=1
∨ ∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2;
∆2≡∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2
∆3≡∃ x1,y1,n1,y2.y 7→node(x1,y1) ∗ x 7→node(null, y2) ∧y1=null∧x 6=null∧n1=1∧y 6=null∧n=n1+2
∆4≡∃ x1,y1,n1,x2,y2,n2.y 7→node(x1,y1)∗y1 7→node(x2,y2)∗Q(x , y2,n2) ∧y1 6=null∧n1=n2+2∧y 6=null∧n=n1+2
1 Base Detection. ∆3
2 Over-Approximation. π4≡.....Not UNSAT
3 Cyclic Detection. Yes
∆0
∆1 ∆♣2
∆3 ∆♣4
Figure : T Q2 .
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 26 / 34
Example 2: Constructing Cyclic Unfolding Tree
Cyclic Detection
∆2≡∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2
∆4≡∃ x1,y1,n1,x2,y2,n2.y 7→node(x1,y1)∗y1 7→node(x2,y2)∗Q(x , y2,n2) ∧y1 6=null∧n1=n2+2∧y 6=null∧n=n1+2
Steps
1 matching externally visible points-to predicate: y 7→node( , )
2 matching externally visible inductive predicates: Q(x , , )
In general, we may need to group isomorphic inductive predicatesbeforehand (same predicate name and same sequence of free
arguments)
3 matching externally visible (dis)equalities over pointers: y 6=null
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 27 / 34
Example 2: Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 28 / 34
Example 2: Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
∆0
∆1 ∆2
∆3 ∆4
∆13 ∆1
4
...
∆flat3 ≡∆3 ∨∆1
3 ∨ ...
∆3≡ ∃ x1,y1,n1,y2.(y 7→node(x1,y1)∗x 7→node(null, y2)∧x 6=null∧y 6=null∧n=n1+1) ∧ (y1=null∧n1=1)
∆13≡∃ x1,y1,n1,x2,y2,n2,y3.(y 7→node(x1,y1)∗x 7→node(null, y3)∧x 6=null
y 6=null∧n=n1+1) ∗ (y1 7→node(x2,y2)∧y2=null∧n1=n2+2∧n2=1)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 29 / 34
Example 2: Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
Pcyc(n1)≡n1=1 ∨ ∃n2.n1=n2+2∧Pcyc(n2)
Pcyc(n1)≡∃k .n1=2k+1∧k≥0
∆b3 is equi-satisfiable to ∆flat
3 :
∆b3≡∃ x1,y1,x2,y2,n1.(y 7→node(x1,y1)∗x 7→node(null, y2)∧x 6=null∧
y 6=null∧n=n1+1)∧(∃k .n1=2k+1∧k≥0)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 30 / 34
Flattening Cyclic Unfolding Tree
∆0
∆1 ∆♣2
∆3 ∆♣4
=⇒
∆0
∆1 ∆b3
baseP(Q(x,y,n))≡{∆1,∆b
3}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 31 / 34
Proposed Decidable Fragment
An inductive predicate is in the proposed decidable fragment if all
numerical projections of base leaves; and
Pcyc predicates
are Presburger-definable (i.e., can be computed as Presburger
formulas).
Some systems of arithmetic inductive predicates arePresburger-definable:
DPI (Tatsuta et. al. - APLAS 2016)
periodic sets (Bozga et. al. - CAV 2010)
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 32 / 34
Conclusion
Test Input Generation using Separation Logic
A decision procedure for an extensible decidable fragment in
separation logic including general inductive predicates and
arithmetic
Base Computation:
Construct Unfolding Tree
∆0
∆11 ∆⋆
12
∆21 ∆22 ∆31 ∆⋆
32
Flatten Unfolding Tree
∆0
∆11 ∆b31
∆21 ∆22
baseP(P(v̄))≡{∆21,∆b
31}
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 33 / 34
Future Work
SAT solver
array separation logic with inductive predicates
extension of separation logic with string logic
Cyclic proof: ENT to SAT and now back to ENT
for bi-abduction problem
completeness
Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 34 / 34