Dealing with complex constraints in symbolic execution
25
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Dealing with constraints in symbolic execution Bernhard Mallinger Programming Languages Seminar SS13 TU Wien June 11th, 2013 Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution
Transcript of Dealing with complex constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Dealing with constraints in symbolic execution
Bernhard Mallinger
Programming Languages Seminar SS13
TU Wien
June 11th, 2013
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 OptimisationsConstraint independenceSolution cachingIncremental solving
3 Heuristic ApproachMotivationCORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 OptimisationsConstraint independenceSolution cachingIncremental solving
3 Heuristic ApproachMotivationCORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraints in Symbolic Execution
Constraints on variables are collected by analysing code:
1 i f (preproc) {2 i f (extensive_preproc) {3 // extensive preprocessing4 }5 }
extensive preprocessing-block is reached iffPC ∧ preproc ∧ extensive_preproc is satisfiable⇒ Unreachability test⇒ Test case generator
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solvers
Depending on code, different kinds solvers are efficientLinear arithmeticComplex functionsGeneral, unstructured constraints. . .
Tremendous speedup in recent years (SAT)Especially continuous functions still not solvableConstraint solving dominates runtime
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 OptimisationsConstraint independenceSolution cachingIncremental solving
3 Heuristic ApproachMotivationCORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraint independence
Constraint independence
In the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups
1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }
PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postproc
Variables related if appear in same constraint⇒ Reachability problem
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraint independence
Constraint independence
In the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups
1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }
PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postproc
Variables related if appear in same constraint⇒ Reachability problem
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraint independence
Constraint independence
In the path condition, all constraints are combined⇒ but not all relatedSeparate logically independent groups
1 i f (preproc) {2 // do preproc3 }4 // algo5 i f (postproc) {6 // do postproc7 }
PC ∧ preproc ∧ postprocPC ∧ preproc ∧ ¬postprocPC ∧ ¬preproc ∧ postprocPC ∧ ¬preproc ∧ ¬postproc
Variables related if appear in same constraint⇒ Reachability problem
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Multiple queries contain same independent groups ofconstraints ⇒ simply cache resultsMore elaborate: exploit repetitions in path conditions:
1 i f (preproc) {2 i f (extensive_preproc) {3 // do extensive preprocessing4 }5 }
PC ∧ preprocPC ∧ preproc ∧ extensive_preproc
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint SolutionC1 = {preproc} S1 = {preproc 7→ 1}C2 = {preproc, ext_preproc} S2 = {preproc 7→ 1,
ext_preproc 7→ 1}C3 = {preproc,¬preproc} XC4 = {preproc,¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint SolutionC1 = {preproc} S1 = {preproc 7→ 1}C2 = {preproc, ext_preproc} S2 = {preproc 7→ 1,
ext_preproc 7→ 1}C3 = {preproc,¬preproc} XC4 = {preproc,¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint SolutionC1 = {preproc} S1 = {preproc 7→ 1}C2 = {preproc, ext_preproc} S2 = {preproc 7→ 1,
ext_preproc 7→ 1}C3 = {preproc,¬preproc} XC4 = {preproc,¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint SolutionC1 = {preproc} S1 = {preproc 7→ 1}C2 = {preproc, ext_preproc} S2 = {preproc 7→ 1,
ext_preproc 7→ 1}C3 = {preproc,¬preproc} XC4 = {preproc,¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Incremental solving
Incremental solving
In queries generated in symbolic execution, often only the lastpredicates differ
1 i f (postproc) {2 i f (fancy_output) {3 // print fancy statistics4 }5 }
PC ∧ postprocPC ∧ postproc ∧ fancy_output
Determine set of variables which are dependent of variables inlast predicate, solve them and else reuse old solution
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Incremental solving
Empirical results
Figure: Performance with and without the solution cache and constraintindependence optimisation in KLEE. Source: Cadar et al., 2008
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 OptimisationsConstraint independenceSolution cachingIncremental solving
3 Heuristic ApproachMotivationCORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Motivation
Motivation
Still many unsolvable path conditionsCan’t search exhaustively, so guess smartly, improve guesses
Reasonable way of “thinking”?Reinterpret decision problem as optimisation problem
Minimise violationsNew precondition: Locality in solution space
Works for all domains, given locality
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Motivation
Metaheuristics
Random initial solutions probably contain viable fragmentsOptimise given invalid solutions by local searchCombine promising solutionsSteer towards regions of high objective value
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL
x tan(y) + z < x ∗ arctan(z) ∧sin(y) + cos(y) + tan(y) ≥ x − z ∧
arctan(x) + arctan(y) > y
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL
Focus on floating point computationSolves constraints by particle swarm optimisation (populationbased metaheuristic)Generates initial solutions randomly in range determined byinterval solver“Solves all constraints that exact solvers manage and more”
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL: Stepwise Adaptive Weighting
Solutions with even minimal constraint violations are stillinfeasibleAvoiding local optima is critical
Stepwise Adaptive Weighting (SAW)
Change objective function dynamically during runtimeReward solutions that satisfy hard-to-solve constraints
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL: Stepwise Adaptive Weighting
Solutions with even minimal constraint violations are stillinfeasibleAvoiding local optima is critical
Stepwise Adaptive Weighting (SAW)
Change objective function dynamically during runtimeReward solutions that satisfy hard-to-solve constraints
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 OptimisationsConstraint independenceSolution cachingIncremental solving
3 Heuristic ApproachMotivationCORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Conclusion
Constraint solving dominates runtime of symbolic executionUnsolvable constraints severely hinder symbolic executionSome optimisations:
Constraint independenceSolution cachingIncremental solving
Harder constraints can/have to be solved (meta-)heuristicallyNavigate reasonably, not exhaustively through search spaceTry to goal-orientedly optimise infeasible solutionsDeal with local optima (e.g. by SAW)
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution
![DEALING WITH CONSTRAINTS: OPTIMAL TRAJECTORIES OF … · dealing with constraints: optimal trajectories of the ... bell-shaped form [1][2]. ... crank rotation experiment](https://static.fdocuments.in/doc/165x107/5b93bfcd09d3f22b0a8be73d/dealing-with-constraints-optimal-trajectories-of-dealing-with-constraints.jpg)
