boolean programs: a model and process for software analysis by thomas ball and sriram k. rajamani...
DESCRIPTION
The choice of a model for software is a fundamental issue in model checking of software The followings are key points of a good model – A representation R of the model is analogous to the finite state machine(FSM), and has efficient algorithms to model check R – The model checking algorithms on R reports the shortest trace to an error – Programming languages such as C, C++, Java have translations into R Introduction Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 3/22TRANSCRIPT
Boolean Programs: A Model and Process For Software
AnalysisBy Thomas Ball and Sriram K. Rajamani
Microsoft technical paper MSR-TR-2000-14
Presented by Yunho KimProvable Software Lab, KAIST
Contents
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 2/22
• Introduction
• Constructing Boolean programs
• Checking feasibility
• Conclusion
• The choice of a model for software is a fundamen-tal issue in model checking of software
• The followings are key points of a good model– A representation R of the model is analogous to the fi-
nite state machine(FSM), and has efficient algorithms to model check R
– The model checking algorithms on R reports the short-est trace to an error
– Programming languages such as C, C++, Java have translations into R
Introduction
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 3/22
• Boolean programs is a good representation for software model checking
Introduction
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 4/22
Program P Boolean program B of P
numUnits: int; level: int; void getUnit(){[1] canEnter: bool := F;[2] if (numUnits = 0){[3] if (level > 10){[4] newUnit();[5] numUnits := 1;[6] canEnter := T; } } else[7] canEnter := T;
[8] if (canEnter)[9] if (numUnits = 0)[10] assert(F); else[11] gotUnit(); }
nU0: bool;
void getUnit(){[1] cE: bool := F;[2] if (nU0){[3] if(?){[4] skip;[5] nU0 := F;[6] cE := T; } } else[7] cE := T;
[8] if (cE)[9] if (nU0)[10] skip; else[11] skip;
• All variables in Boolean programs have Boolean type
• Each Boolean variable in B corresponds to an Boolean expression in P
• P and B have the same control structure
• The X programming language is a simple imperative lan-guage with procedures, assignments, if, while and asserts
• The type of a variable in the X language ranges over inte-gers, finite enumerations and three-valued type– From now on, Boolean type extends to three-valued logic
• Kleene’s three-valued interpretation of Æ, Ç and :
Introduction
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 5/22
Æ true false ?true true false ?false false false false
? ? false ?
Ç true false ?true true true truefalse true false ?
? true ? ?
:true falsefalse true
? ?
Introduction
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 6/22
• Overview of SLAM process
Constructing Boolean program
Modelchecking
Eliminating infeasible
path pFeasi-ble?
Program PSpec φ
Infeasible path p
φ false +
counterexam-ple
φ true
Today’s focus: Constructing Boolean program and feasibility check
Boolean program B
Error trace p
Contents
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 7/22
• Introduction
• Constructing Boolean programs
• Checking feasibility
• Conclusion
Constructing Boolean pro-grams
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 8/22
• For simplicity, we assume that all programs are in X-normal form
• An X program P is in X-normal form if all the follow-ings hold– Every assert statement in P is followed by a skip state-
ment– All Boolean expressions in if and while statements of P
are ?– All assignment statements in P assign to a single variable
X program X-normal formif(e) {A} else {B}
if(?) { assert(e);skip;A} else { assert(!e);skip;B }
while(e){S} while(?) { assert(e);skip;S } as-sert(!e);skip;
Constructing Boolean pro-grams
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 9/22
• B(P,E) is a Boolean program of P with respect to E– P is a X program in X-normal form
• Let E = {e1, e2, , en } be a set of Boolean expres-sions over variables in P and constants in X
• Let VB = {b1, b2, , bn} be a set of Boolean vari-ables in B(P,E)– Let E(bi) denote the corresponding Boolean expression ei
• Each statement s in P is transformed to a corre-sponding statement in B(P,E) except for asserts– An assert statement is transformed to two statements in
B(P,E)
Constructing Boolean pro-grams
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 10/22
• Translation tables into B(P,E)
• I(s, e) denotes the truth value for the Boolean variable b corresponding to e, after executing statement s
• F(e) denotes the weakest disjunction of minterms over VB s.t. the corresponding expression of F(e) implies e
Statement(s) in P Translation in B(P,E)[i] if(?) [i] if(?)[i] while(?) [i] while(?)[i] x := e [i] b1, , bn := I(x:=e, e1), , I(x:=e, en)[i] assert(e)[j] skip
[i] assert(!(F(!e))[j] b1, , bn := I(assert(e), e1), , I(assert(e), en)
[i] skip [i] skip
Constructing Boolean pro-grams
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 11/22
• Then, how can we find the result of I(s, e), the truth value of e after execution of s?– The answer is the weakest precondition!
WP (x:=e, f) = f[x à e]WP (assert(e),f) = e ) f
• Let F(e) denote the largest disjunction of minterms over VB s.t. E(F(e)) ) e– Minterm is a logical expression consisting of only the conjunction and
complement operator– Intuitively, E(F(e)) is the weakest expression over E that implies e
• E(F(WP(s,e))) is the weakest precondition over E– If E(F(WP(s,e))) is true, then after executing s, e becomes true– If E(F(WP(s,!e))) is true, then after executing s, e becomes false
Constructing Boolean pro-grams
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 12/22
• Example• E = {(x=1), (x=2), (x·3)} and VB = {b1, b2, b3}
– E(b1) = (x=1), E(b2) = (x=2), E(b3) = (x·3)• The statement s is x := x+1
e = (x=1) e = (x=2) e = (x·3)WP(x:=x+1,e) x = 0 x = 1 x · 2
F(WP(x:=x+1,e) False b1 b1 Ç b2
E(F(WP(x:=x+1,e))) False x = 1 x = 1 Ç x = 2WP(x:=x+1,!e) x 0 x 1 x ¸ 3
F(WP(x:=x+1,!e) b1 Ç b2 Ç !b3 !b1 Ç b2 Ç !b3 !b3
E(F(WP(x:=x+1,!e)))
x=1 Ç x=2 Ç x > 3
x 1 Ç x=2 Ç x > 3
x > 3
Constructing Boolean pro-grams
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 13/22
• There is a difference between assert(F(e)) and assert(!F(!e))– F(e) ) e ) !F(!e)
• Example• E = {(x<y), (y<z)} and VB = {b1, b2}
– E(b1) = (x<y), E(b2) = (y<z)– e = (x<z)
E(F(e)) e E(!F(!e)) E(F(!e)) !e E(!F(e))Expression over
Ex<y Æ
y<zx<z x<y Ç
y<zx¸y Æ y¸z x ¸ z x¸y Ç y¸z
(x,yz) = (1,2,3) True True True False False False(x,y,z) = (1,3,2) False True True False False True(x,y,z) = (1,3,0) False False True False True True(x,y,z) = (3,2,1) False False False True True True
Contents
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 14/22
• Introduction
• Constructing Boolean programs
• Checking feasibility
• Conclusion
Checking Feasibility
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 15/22
• Feasibility checking checks whether a given error trace ¼ in B(P,E) is a trace p in P– By using the modified strongest postcondition
• The modified strongest postcondition uses a context instead of a expression– instead of SP(f, x:=e)
• A context is a triple– is the current valuation to variables in p and called store. – ¦ is a set called the history which represents the past valuations to
variables in p– © is a set of Boolean expressions called conditions which represents
the constraints introduced by assert statements
SP (< ; ¦ ;©>;x := e)
< ;¦ ;©>
Checking Feasibility
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 16/22
• Let V(p) be the set of variables appeared in p• Let Exp denote the set of expressions over £(p) and the constants
in X– £(p) = {µx,p | x 2 V(p)} is a set of symbolic constants in a one-to-one
correspondence with the variables of V(p)
• A context is a triple formally defined as – is a partial function V(p) ! Exp – ¦ µ V(p) £ Exp – © is a set of Boolean expressions from Exp
• Example
< ;¦ ;©>
p ¦ ©assert(b>0
)<b, µb,p> µb,p > 0
b := b+1 <b, µb,p +1>
<b, µb,p> µb,p > 0
Checking Feasibility
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 17/22
• The strongest postcondition SP maps a context and a state-ment to a new context
– Given a store and a set of variables X µ V(p), let undef( , X) = {<x, µx,p> | x 2 X, not defined}
– Updates the current valuation of x and stores old value in the history ¦
– Updates the condition © only
• Initial context is <, , >
• p is feasible iff all conditions Æc 2 © c is satisfiable
(x)
Checking Feasibility
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 18/22
• Example
• This trace is infeasible because (µb,p>0) ) (2µb,p (µb,p-1))
p ¦ ©assert(b>0) <b, µb,p> µb,p>0c := b+b <b, µb,p>,<c, 2µb,p> µb,p>0a := b <a, µb,p>,<b, µb,p>,<c,
2µb,p>µb,p>0
a := a-1 <a, µb,p-1>,<b, µb,p>,<c, 2µb,p>
<a, µb,p> µb,p>0
assert(a<b) <a, µb,p-1>,<b, µb,p>,<c, 2µb,p>
<a, µb,p> µb,p>0, µb,p -1 < µb,p
assert(c=a) <a, µb,p-1>,<b, µb,p>,<c, 2µb,p>
<a, µb,p> µb,p>0, µb,p -1 < µb,p, 2µb,p = (µb,p-1)
Eliminating infeasible paths
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 19/22
• To eliminate infeasible paths in a Boolean pro-gram, we need to refine the Boolean program
• Let C(<x,e>) denote the Boolean expression(x=e) and extend to a set of pairs
• Then, E = C( ) [ C(¦) [ © is sufficient set of condi-tions to make p feasible in B(P,E)
Contents
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 20/22
• Introduction
• Constructing Boolean programs
• Checking feasibility
• Conclusion
Conclusion
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 21/22
• A boolean program is a good representation of software model checking
• The transformation to Boolean program uses the weakest precondition
• Symbolic path simulator using the strongest post-condition checks the feasibility of a given trace
Reference
Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 22/22
• Boolean Programs: A Model and Process For Software Analy-sisby Thomas Ball and Sriram K. Rajamaniin Microsoft Technical Report, MSR-TR-2000-14