Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT...
-
Upload
lester-oliver -
Category
Documents
-
view
221 -
download
3
Transcript of Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT...
![Page 1: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/1.jpg)
Inferring Specificationsto Detect Errors in Code
Mana Taghdiri
Presented by: Robert SeaterMIT Computer Science & AI Lab
![Page 2: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/2.jpg)
ASE 2004 2
Outline
Problem – function specs Key Insights Algorithmic Details Experimental results Related work Conclusions
![Page 3: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/3.jpg)
ASE 2004 3
Problem Statement
Software model checkers ignore code modularity Procedures treated at control flow and in-lined Procedure boundaries not exploited This is odd ! Can cause trouble scaling
![Page 4: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/4.jpg)
ASE 2004 4
Problem Statement
In contrast,Traditional methods are based on code
structure Examples: ESC/Java , Jalloy User has to provide procedure specs
C2C1
C
P
S1 S2
C2C1
C
P’
S1’ S2’C1
C
P
S1 S1’
![Page 5: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/5.jpg)
ASE 2004 5
Example
procedure f(bool b, List x, List y) {
g(b, x); h(y);}
procedure g(bool b, List x) { if (b) then mutate x; else mutate’ x;}
if (b) then x is acyclic
![Page 6: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/6.jpg)
ASE 2004 6
Generic Analyzer
User’s View
program property
counterexample
satisfies
specificationspecification
Our Approach
![Page 7: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/7.jpg)
ASE 2004 7
Our Approach A procedure-based automatic analysis
Procedures => modularity => help scale
Procedure specs are inferred automatically Property-dependent Call site-dependent
A counterexample-guided refinement technique To detect bugs
Sound error reports Incomplete
![Page 8: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/8.jpg)
ASE 2004 8
Example
procedure f(bool b, List x, List y) {
g(b, x); h(y);}
procedure g(bool b, List x) { if (b) then mutate x; else mutate’ x;}
if (b) then x is acyclic
b=truex=emptyg(b,x)=mangled messy=…h(y)=…
mangled(empty) is cyclic
b=truex=emptyg(b,x)=mutated xy=…h(y)=…
mutate(empty) is cyclic
![Page 9: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/9.jpg)
ASE 2004 9
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
![Page 10: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/10.jpg)
ASE 2004 10
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Written in subset of Java
Finitize: unwind loops and recursion
based on a user-provided number
![Page 11: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/11.jpg)
ASE 2004 11
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Partial spec of selected procedure
About structure of the heap
Written in logical constraints (Alloy)
![Page 12: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/12.jpg)
ASE 2004 12
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Procedures under-constrained
Initially just frame conditions
(generated bottom up)
![Page 13: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/13.jpg)
ASE 2004 13
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Semantics preserving translation to Alloy
Same technique as Jalloy
![Page 14: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/14.jpg)
ASE 2004 14
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Alloy Analyzer
SAT solver back end (ZChaff)
Solutions satisfy current spec but violate property
![Page 15: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/15.jpg)
ASE 2004 15
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Solutions = counter-examples
No solutions => no counterexample to property within the finite bounds
No guarantees about the general case
![Page 16: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/16.jpg)
ASE 2004 16
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
May be a counterexample
Trace in abstract program
Assigns behavior to each procedure: before/after pairs of program states for the procedure call site
![Page 17: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/17.jpg)
ASE 2004 17
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
behaviors assigned to procedures may be too relaxed
Examine each procedure individually
Check behavior against full procedure, not just current (partial) spec
![Page 18: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/18.jpg)
ASE 2004 18
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
If all procedures have valid behaviors, then counterexample is real
Bug in original code!
![Page 19: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/19.jpg)
ASE 2004 19
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Some procedure p is invalid
Refine the spec of p just enough to exclude the bad trace
Use unsat core to choose which constraints to add
![Page 20: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/20.jpg)
ASE 2004 20
Algorithmic Overview
program
Check validitysolve
refine spec(unsat core)
abstracttrace
negatedproperty
logicalconstraints
abstractprogram
programsatisfiesproperty
counterexample:
bug!
unsat?
sat?
valid?
invalid?
Repeat until conclusive result
Guaranteed to terminate
At worst, each spec is just the entire procedure
![Page 21: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/21.jpg)
ASE 2004 21
Experiments
Preliminary results Graph manipulation code
Structural properties All properties hold in the code shows benefits of procedure abstraction
Comparison with Jalloy Same translation technique Same SAT solver Inlines all procedure calls
![Page 22: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/22.jpg)
ASE 2004 22
Experimental Results
LoopIter
HeapSize
Jalloy Our Method Improve
ment#Var #Claus
eTime
#Var #Clause
Time
4 4 8216 18126 15 4928 10260 9 1.67
5 5 14555
34704 162 8611 19002 98 1.65
6 4 13554
30555 40 6702 14013 12 3.33
6 5 18137
43760 234 9857 21776 83 2.82
List.removeAll :
• The result list is a subset of the original list
• No refinement iterations needed!
![Page 23: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/23.jpg)
ASE 2004 23
Experimental Results
LoopIter
HeapSize
Jalloy Our Method Improve
ment#Var #Claus
eTime #Var #Claus
eTime
3 3 27112
56241 61 3284 6589 5 12.2
4 4 66566
151323
164 6187 13507 8 20.5
4 5 87710
214959
206 9524 23383 27 7.63
5 4 -- -- >900
6807 14794 8 >112
5 5 -- -- >900
10346
25263 36 >25
6 4 -- -- >900
7499 16207 9 >100
Graph.remove :• If given node set is empty, graph edges aren’t changed• No refinement iterations needed!
![Page 24: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/24.jpg)
ASE 2004 24
Experimental Results
LoopIter
HeapSize
Jalloy Our Method Improve
ment#Var #Claus
eTime
#Var #Clause
Time
3 3 27147 56298 44 5927 11652 7 6.29
4 4 66661 151489
123 11057
23450 13 9.46
4 5 87803 215129
224 15682
36890 107 2.09
5 4 108016
246914
359 13075
27446 17 20.9
5 5 141087
347466
586 18549
42948 191 3.07
Graph.remove :• If given node set is empty, graph nodes aren’t changed• Needs 3 refinement iterations!
![Page 25: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/25.jpg)
ASE 2004 25
Related Work
Jalloy Structural properties SAT-based analysis Inlines procedure calls – not scalable
SLAM Predicate abstraction Not structural properties
![Page 26: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/26.jpg)
ASE 2004 26
Related Work
ESC/Java Based on theorem prover Needs user-provided procedure specification
Flanagan’s Method Extension to ESC Translates code to CLP Check satisfiability VeriFun – iteratively
refined predicate abstraction
![Page 27: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/27.jpg)
ASE 2004 27
Related Work
Bandera Static slicing based on property User-provided data abstraction Intermediate model may be analyzed by a set of
model checkers Daikon
Specification extraction tool Not dependent on context or property Dynamic Unsound (sound over test cases)
![Page 28: Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649eda5503460f94be8d25/html5/thumbnails/28.jpg)
ASE 2004 28
Conclusions
Checks structural properties of the heap Exploits modularity from function calls Infers context-dependent specs
automatically Uses counterexamples to refine specs Uses unsat core to produce small specs