Program Analysis via Satisfiability Modulo Path Programs
description
Transcript of Program Analysis via Satisfiability Modulo Path Programs
1
Program Analysis viaSatisfiability Modulo Path Programs
William Harris, Sriram Sankaranarayanan,Franjo Ivančić, Aarti Gupta
POPL 2010
2
Assertions as Specifications
• Lightweight
• Often automatic from semantics– Null-pointer dereferences– Buffer overflows
3
proc. foo(int* p, int pLen, int mode)assume (pLen > 1);int off, L := 1, bLen := 0;if (p = NULL) pLen := -1;if (mode = 0)
off := 1;else
off := 0;while (L <= pLen)
bLen := L – off;L := 2 * L;
assert(!p || bLen <= pLen);
4
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
… Æ p = 0 Æ pLen = -1
… Æ p = 0 Æ mode = 0
… Æ p = 0… Æ p =
0
False
Path Program:Left Branch, Left Branch
... Æ p = 0
L <= pLenbLen := L – offL := L * 2
5
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
… Æ p = 0
… Æ p = 0 Æ mode 0
… Æ p = 0… Æ p =
0
False
Path Program:Left Branch, Right Branch
… Æ p = 0
L <= pLenbLen := L – offL := L * 2
6
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
L = 1 Æ bLen = 0 Æ pLen ¸ 1
L = 1 Æ bLen = 0 Æ pLen ¸ 1
bLen · pLenbLen · pLen
False
Path Program:Right Branch, Left Branch
L <= pLenbLen := L – offL := L * 2
7
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
L = 1 Æ bLen = 0 Æ p 0
L = 1 Æ bLen = 0Æ pLen ¸ 1
bLen · pLenbLen · pLen
False
Path Program:Right Branch, Right Branch
L <= pLenbLen := L – offL := L * 2
L := 1bLen := 0pLen >= 1
p != 0
mode != 0
off := 1
L > pLen
p != 0&& bLen > pLen
bLen · pLen
False 8
bLen · pLen
bLen · pLen
bLen · pLenbLen · pLen
Control-FlowAbstraction
p != 0&& bLen > pLen
L := 1bLen := 0pLen >= 1
L <= pLenbLen := L – offL := L * 2
9
Key Issues
Need:• abstraction• refinementthat allow us to analyze a small set of path
programs, generalize proofs.
10
Road Map
• Satisfiability Modulo Path Programs (SMPP)
• Experimental Evaluation
11
Abstraction
1. Encode unproven path programs as propositional formula.
2. Query SAT solver for solution.
3. From the solution, extract an unverified path program.
q0
q1
q9
q8
q7q6
q5q4
q3
q2
Propositional Variablesfor Edges
13
CFG Form Depiction Encoding
entry edges
error edges
Encoding Path Programs
q0
q0 = True
q9 q9 = True
14
Encoding Path Programs
q4
q3
q5
q3 ! exactlyOne(q4, q5)q2 ! exactlyOne(q4, q5)
q4 ! exactlyOne(q3, q2)q5 ! exactlyOne(q3, q2)
q2
15
Initial Abstraction of Example
q0
Æ q0 $ exactlyOne(q1, q2)Æ q1 $ q3
Æ exactlyOne(q3, q2) $ exactlyOne(q4, q5)Æ (q4 $ q6) Æ (q5 $ q7)Æ exactlyOne(q6, q7) $ q8
Æ q8 $ q9
Æ q9
q0
Æ q0 $ exactlyOne(q1, q2) Æ q1 $ q3
Æ exactlyOne(q3, q2) $ exactlyOne(q4, q5) Æ (q4 $ q6) Æ (q5 $ q7) Æ exactlyOne(q6, q7) $ q8
Æ q8 $ q9
Æ q9
¤ :=
q0
q1
q9
q8
q7q6
q5q4
q3
q2
16
A Path Program froma SAT Solution q0
q2
q5
q7
q8
q9
17
Refinement
• Apply program analysis oracle to determine safety of path program
• If safe, then encode safety in the abstraction
18
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L <= pLenbLen := L – offL := L * 2
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
L = 1 Æ bLen = 0 Æ p 0
L = 1 Æ bLen = 0Æ pLen ¸ 1
bLen · pLenbLen · pLen
False
Apply Analysis Oracle: Naïve
19
Prop. Encoding:Naïve
q6
q9
q1
q7
q4 q5
q3
q2
q0
q8
20
Naïve Blocking Clause
¤ := ¤ Æ : (q0 Æ q2 Æ q5 Æ q7 Æ q8 Æ q9)
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLenP != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
bLen · pLenÆ off = 1
False21
L <= pLenbLen := L – offL := L * 2
Apply Analysis Oracle:Local Repair
L = 1 Æ bLen = 0 Æ pLen ¸ 1 Æ p 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1Æ p 0 Æ mode 0
bLen · pLenÆ off = 1
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLenp != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
L = 1 Æ bLen = 0 Æ pLen ¸ 1 Æ p 0
bLen · pLenÆ off = 1
bLen · pLen Æ off = 1
False
L = 1 Æ bLen = 0 Æ pLen ¸ 1
bLen · pLen
bLen · pLen
L = 1 Æ bLen = 0 Æ pLen ¸ 1Æ p 0 Æ Mode 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
22
Apply Analysis Oracle: Local Repair
L := 1bLen := 0pLen >= 1
p != 0&& bLen > pLen
pLen := -1
L <= pLenbLen := L – offL := L * 2
23
Prop. Encoding:Local Repair q0
q1
q2
q3
q4 q5
q6 q7
q8
q9
24
Blocking Clause
(: (q0 Æ q9) Ç q3): (q0 Æ q2 Æ q5 Æ q7 Æ q8 Æ q9)
¤ := ¤ Æ
with Local Repair
25
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
… Æ p = 0 Æ pLen = -1
… Æ p = 0 Æ mode = 0
… Æ p = 0… Æ p =
0
False
One MorePath Program Suffices
... Æ p = 0
p != 0&& bLen > pLen
p = 0
L <= pLenbLen := L – offL := L * 2
26
Experiments
27
Zitser Benchmarks
• Real world programs:– wu-ftpd– bind– sendmail
• Checked for buffer overflow bugs• BLAST proves more properties on average• SMPP completes faster (>100x)
28
Larger Benchmarks
• Real-world programs:– thttpd– ssh-server– xvidcore
• Checked function pre, post conditions for buffer accesses
• SMPP proved ~35% of thousands of properties
29
Conclusion
• SMPP uses a symbolic abstraction refinement scheme for control-flow.
• SMPP is slightly coarser than predicate abstraction, but converges much faster.
30
Questions?
L := 1bLen := 0pLen >= 1
p != 0
mode != 0
off := 1L > pLen
p != 0&& bLen > pLen
bLen · pLen
False
bLen · pLen
bLen · pLen
bLen · pLen
bLen · pLen
: (bLen · pLen)
: (bLen · pLen)
: (bLen · pLen)
: (bLen · pLen)
: (bLen · pLen)
Predicate Abstraction
L <= pLenbLen := L – offL := L * 2
32
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
L = 1 Æ bLen = 0 Æ p 0
L = 1 Æ bLen = 0Æ pLen ¸ 1
bLen · pLenbLen · pLen
False
SMPP: Path Program 1 L := 1bLen := 0pLen >= 1
p != 0&& bLen > pLen
pLen := -1
L <= pLenbLen := L – offL := L * 2
33
L := 1bLen := 0pLen >= 1
p = 0
pLen := -1
p != 0
mode != 0
off := 0 off := 1
L > pLen
p != 0&& bLen > pLen
mode = 0
L = 1 Æ bLen = 0 Æ pLen ¸ 1
… Æ p = 0 Æ pLen = -1
… Æ p = 0 Æ mode = 0
… Æ p = 0… Æ p =
0
False
SMPP: Path Program 2
... Æ p = 0
p != 0&& bLen > pLen
p = 0
L <= pLenbLen := L – offL := L * 2
34
Problem StatementSMT
Given a determinedisjunctive formula satisfiabilityusing theory solvers for conjunctive formulas.
SMPP
branching program safetyanalyses path programs.
35
Key Analog
• Abstraction using a propositional encoding
• Refinement using blocking clauses conjoined to abstraction