Using Boolean Satisfiability for Path Sensitive Analysis - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Using Boolean Satisfiability for Path Sensitive Analysis

Description:

Using Boolean Satisfiability for Path Sensitive Analysis ... Backend for many tools in verification, AI, etc. Much recent work: Chaff / Grasp / SATO / GSAT ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 12
Provided by: benjami90
Learn more at: http://suif.stanford.edu
Category:

less

Transcript and Presenter's Notes

Title: Using Boolean Satisfiability for Path Sensitive Analysis


1
Using Boolean Satisfiability for Path Sensitive
Analysis
  • Yichen Xie, Andy Chou

2
SAT
  • Classic NP-complete problem
  • Backend for many tools in verification, AI, etc.
  • Much recent work
  • Chaff / Grasp / SATO / GSAT
  • SAT problem P conjunction of clauses
  • Clause Disjunction of literals
  • Literal v or??v
  • Example (x ? y) ? (?x ? y)
  • A is a satisfying assignment if P(A) true

3
Motivation
  • Eliminate false positives from false paths
  • Reasoning about values
  • Integer overflows
  • Buffer overruns
  • Off-by-one errors
  • Branch correlations / Path sensitivity
  • Take advantage of SAT solver improvements

4
Modeling Properties
  • if(x)
  • lock(l)
  • if(x)
  • unlock(l)

if(x) assert(l unlocked) l locked
if(x) assert(l locked) l unlocked

5
Translating Expressions
  • X gt x31 x30 x0
  • Expressions Build circuit for operations
  • X ! 0 gt x31? x30 ? ? x0
  • X 0 gt ?(x31? x30 ? ? x0)
  • X Y gt (x31 y31 ? ? x0 y0)
  • Addition ripple-carry adder
  • Multiply by constant Booths algorithm
  • Negative numbers 2s complement
  • Bit operations easy
  • Captures effect of overflow

6
Translating Statements
  • SSA Transformation
  • Table T(v) vi
  • Assignment

Te gt E
T Rename(x, T)
Tx e gt (T(x) E), T
7
Translating Control Flow
  • Similar to verification condition generation
  • See the ESC/Java paper we read
  • Build path expression (regular expression of
    edges in CFG)
  • Translate path expression
  • Sequence gt AND
  • Branch gt OR
  • Loop gt Desugar and unroll

8
Demo
9
Related Work
  • Metal - adds path sensitivity
  • ESC
  • simpler slicing, variable renaming
  • interprocedural
  • annotations optional
  • SLAM/Lazy Abstraction
  • no iteration guaranteed to converge
  • no need to discover predicates
  • SAT gt Model checking

10
Related Work
  • ESP
  • Catch more than constants
  • Prefix
  • Sound
  • Simultaneously simulate all paths
  • Model Checking
  • Eats too much memory for many problems

11
Future Work
  • Slice w.r.t. transitions
  • Only extract variables that influence transitions
  • Unroll loops recursion enough times to get all
    possible transitions
Write a Comment
User Comments (0)
About PowerShow.com