finding bugs with a constraint solver - PowerPoint PPT Presentation

About This Presentation
Title:

finding bugs with a constraint solver

Description:

finding bugs with a constraint solver. daniel jackson . mandana vaziri ... finding bugs in code efficiently. supports. specs. declarative specs ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 24
Provided by: vaz
Category:

less

Transcript and Presenter's Notes

Title: finding bugs with a constraint solver


1
finding bugs with a constraint solver
  • daniel jackson . mandana vaziri
  • mit laboratory for computer science
  • issta 2000

2
overview
  • goal
  • finding bugs in code efficiently
  • supports
  • specs
  • declarative specs
  • relating different program points
  • structural properties
  • pre-defined
  • partial code
  • technique
  • fully automatic
  • errors missed, but no spurious errors

3
example linked list delete
  • class List List next Val val
  • void static delete (List p, Val v)
  • List prev null
  • while (p ! null)
  • if (p.val v)
  • prev.next p.next
  • return
  • else
  • prev p
  • p p.next
  • ..


4
checking the spec
  • user provides
  • number of loop iterations
  • number of objects in each class (scope)
  • tool finds
  • an execution of delete that contradicts the spec

5
counterexample to the spec
DomainsList L0Val V0 SetsE01
traversedE12 (null) E13 traversed E34
traversedp L0p1 L0prev L0prev1
(null)
prev2 (null)prev (null)v
V0 Relationsnext next1 val L0 -gt
V0next next1 val L0 -gt
V0 Skolem Constantsc L0
6
counterexample to the spec
  • class List List next Val val
  • void static delete (List p, Val v)
  • List prev null
  • while (p ! null)
  • if (p.val v)
  • prev.next p.next
  • return
  • else
  • prev p
  • p p.next
  • ..

// spec no cell with value v after no c
p.next c.val v
7
more specs
  • //no cells addedp.next in p.next
  • //cells with value v removedp.next p.next
    c c.val v
  • //no cells mutatedall c c.val c.val
  • //no cycles introducedno c p.next c in
    c.next ? no c p.next c in c.next

8
method
code
compiler
code constraint
iters.
code constraint all bounded executions in alloy
(first order logic)
9
method
code
compiler
code constraint
iters.

spec
?
final constraint
scope
alloy analyzer
counter
10
compiler
  • steps
  • encode state
  • encode set of executions
  • encoding set of executions
  • construct computation graph from code
  • label variables
  • translate edges into alloy (encoding data flow)
  • derive constraint from graph (encoding control
    flow)

11
modelling state for delete
  • class List List next Val val
  • void static delete (List p, Val v)
  • List prev null
  • while (p ! null)
  • if (p.val v)
  • prev.next p.next
  • return
  • else
  • prev p
  • p p.next

domain List, Val state p List? v Val?
prev List? next List ? List? val List
? Val?
12
computation graph
  • unrolled control flow graph
  • node program point
  • edge predicate elementary statement
  • single entry, single exit
  • no cycles
  • loops unrolled
  • a while (p) s b ? a if (p) s
    assert !p b

13
computation graph for delete
  • class List List next Val val
  • void static delete (List p, Val v)
  • List prev null
  • while (p ! null)
  • if (p.val v)
  • prev.next p.next
  • return
  • else
  • prev p
  • p p.next
  • ..

p p.next
14
variable labeling
  • example
  • x a x x b ? x1 a ? x2
    x1 b
  • nodes hold labeling of each variable
  • labels distinct on any given path
  • same label for two connected nodes if no variable
    update
  • minimize labels

15
variable labeling for delete
16
encoding data control flow
  • data
  • translate edge label to alloy formula
  • control
  • for each path
  • conjoin formulas from edges
  • combined paths
  • disjoin path formulas

17
encoding data control for delete
0
0
no prev
1
some p
no p
3
?
p.val v
p.val ! v
6
4
prev1 p
prev1.next1 p.next
7
5
p1 p.next
return
8
no p2
2
18
experiments
  • benchmark suite of procedures from (Sagiv et al)
  • destructive update of linked lists
  • specs
  • null dereferences
  • creation of cycles
  • user-defined
  • all anomalies found in scope of 1
  • times less than 1 sec for scope 3

19
times for hardest check
  • merge
  • result.next p.next q.next

scope iters bits time
20
future work
  • issues
  • scalability (big procs, long chains)
  • variety of datatypes
  • approach
  • partial analysis
  • abstraction
  • use specs instead of procedure calls

21
related work
  • testing
  • symbolic execution (King), PREfix (Pincus)
  • model checking
  • bounded model checking (Biere et al)
  • Bandera project (Kansas State, Hawaii, UMass)
  • Java Pathfinder (NASA Ames)
  • SLAM project (Microsoft Research)
  • ESC (Detlefs et al)
  • parametric shape analysis (Sagiv et al)

22
comparison
  • user does not provide inputs (testing)
  • all possible inputs considered (PSA, testing)
  • handles huge executions (testing, sym exec)
  • addresses structure (MC, ESC, PREfix)
  • handles declarative specs (MC, testing, sym exec,
    PSA)
  • no spurious errors (PSA)
  • no numbers (testing, sym exec, Prefix)
  • no proof (PSA, ESC)

23
finding bugs with a constraint solver
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "finding bugs with a constraint solver" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!