Path Slicing

1
Path Slicing

• Ranjit Jhala Rupak Majumdar
• U.C. San Diego U.C. Los Angeles

2
Path Slices

• Given a program P, a path ? of P, and last
  statement S of ?, what is the subset of
  statements along ? that are possibly relevant
  toward control reaching S?

3
Why Path Slices?

• Static analysis tools return control flow paths
  to error locations as possible counterexamples to
  a property
• Returned paths may or may not be feasible
• Must analyze manually or automatically to
  determine feasibility
• Long paths complicate the process
• Requires more effort to determine feasibility
• Can get stuck in irrelevant infeasibilities
• While the current path is infeasible, a simple
  variant may be feasible

4
Example

• Assume f always terminates
• ERR is reachable
• a and x are unconstrained
• Any feasible path to error must unroll the loop
  1000 times AND find feasible paths through f
• Any other path must be dismissed as a false
  positive
• Causes automatic counterex analyzers to not
  terminate!

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

5
Example

• Intuitively, the for loop is irrelevant
• ERR reachable as long as there exists some path
  from 2 to 4 that does not modify a or x
• Can we use static analysis to precisely report a
  statement is reachable without finding a feasible
  path?

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

6
Example
1
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
i1000
4
4
agt0
agt0
5
5
x0
x0
7
Sounds like Static Slicing

• Static Slice Given a program P and statement S,
  what is the set of statements that could affect
  control reaching S for any input?
• Path Slice Given a program P, a path ? of P, and
  last statement S of ?, what is the subset of
  statements along ? that are possibly relevant
  toward control reaching S?

Compute a backward static slice from the target
location S
8
Path Slices are More Precise

• Can focus on particular path of interest

Example2 ( ) 1x 0 2t complex() 3if
(agt0) 4 x x t 5if (x0) ERR

Backward static slice cannot remove
complex() There are paths along which result of
complex() flows into x
9
Path Slices are More Precise
Example2 ( ) 1x 0 2t complex() 3if
(agt0) 4 x x t 5if (x0) ERR

1
x 0
2
t complex()
3
a 0
5
x0
Path static slice can remove complex() along
this trace
10
Sounds like Dynamic Slicing

• Dynamic Slice Given a program P, a dynamically
  executed path ? for a fixed input, and last
  statement S of ?, what is the set of statements
  that did affect control reaching S for this fixed
  input?
• Path Slice Given a program P, a path ? of P, and
  last statement S of ?, what is the subset of
  statements along ? that are possibly relevant
  toward control reaching S?

11
Difference from Dynamic Slicing

• The paths are not guaranteed to be feasible
• May not be generated by dynamic execution
• Alternative static program paths are considered
  while computing the slice
• Like static slicing
• While the current path may be infeasible, a
  variant may be feasible

12
Path Slice, Formally

• The path slice of a program path ? is a
  subsequence of the edges of ? such that if the
  sequence of operations along the subsequence is
• infeasible, then ? is infeasible, and
• feasible, then the last location of ? is
  reachable (but not necessarily along ?)

13
Computing Path Slices

• Intuitively, drop some edges, but leave branches
  that must be taken to reach the target, and
  assignments that feed into the branch conditions
• Backward dataflow over the path, tracking at each
  node
• step location source location of the last edge
  along the path added to the slice
• live variables set of relevant variables whose
  values determine whether or not the target is
  reachable along the suffix

14
Example
A conditional is taken if either (1) there is a
path from the current node to the step location
on which a live variable is modified, or (2) the
current node does not post-dominate the step
location
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
i1000
4
agt0
5
x0
ERR,
15
Conditionals
current
current
x2 Live
X
step
step
?
?
16
Example
A conditional is taken if either (1) there is a
path from the current node to the step location
on which a live variable is modified, or (2) the
current node does not post-dominate the step
location
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
Live (Live n Wr(op)) Rd(op)
i1000
4
agt0
5
x0
ERR,
17
Example
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
i1000
4
agt0
5
x0
ERR,
18
Example
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
i 1
2
ilt1000
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
19
Example
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
An assignment is taken if the assigned variable
is in the Live set
i 1
2
ilt1000
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
20
Example
1
4, x, a

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

c 0
2
4, x, a
i 1
4, x, a
2
ilt1000
4, x, a
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
21
Slice
1

• Example ( )
• 1c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

4
agt0
5
x0
22
Example 2 Infeasible Path

• Example ( )
• Aif (agt0)
• B x 1
• 1 c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

23
Example 2 Infeasible Path

• Example ( )
• Aif (agt0)
• B x 1
• 1 c 0
• 2for(i1ilt1000i)
• 3 c c f(i)
• 4if (agt0)
• 5 if (x0)
• ERR

A, a
A
agt0
B, a
B
x 1
1
4, x, a
c 0
2
4, x, a
i 1
Live (Live n Wr(op)) Rd(op)
4, x, a
2
ilt1000
4, x, a
3
c c f(i)i
2
4, x, a
i1000
4
4, x, a
agt0
5
5, x
x0
ERR,
24
Slice
Example ( ) Aif (agt0) B x 1 1 c
0 2for(i1ilt1000i) 3 c c f(i) 4if
(agt0) 5 if (x0) ERR
A
agt0
B
x 1
1
Infeasible Slice implies Infeasible trace
4
agt0
5
x0
25
Experiments

• Implemented path slicing in BLAST, a software
  model checker based on counterexample refinement
• Paths Abstract counterexamples
• Feasible sliced paths Bugs
• Infeasible sliced paths analyzed for predicates
• Checked correct handling of files
• A file must be opened before access

fopen
fclose
fscanf,fprintf
26
Benchmarks

• Paths generated by context-free reachability
  algorithm with dfs
• Did not terminate without path slicing

27
Fcron (cron daemon)
28
Openssh (ssh server)
29
Extensions

• Pointers
• Use alias information to get over-approximation
  of modifies set
• Procedures
• Use a modifies analysis
• Take a return statement if the function can
  modify a live variable

30
Conclusion

• Path slicing is a simple but effective filter to
  remove noise from traces
• Often makes difference between termination and
  non-termination in software model checking
• By focusing on particular paths, can produce more
  precise results than static slicing

31

• BLAST
• http//www.cs.ucla.edu/rupak/blast

32
Bug in wuftpd

• void statfilecmd(char filename)
• FILE fin
• fin ftpd_popen(line,r,0)
• // fin can be 0!
• while(1)
• // ERROR
• tmp fgets(line,256,fin)

• FILE ftpd_popen(char prgm, char t, int c)
• tmp getrlimit(7, rlp)
• if (tmp)
• return (FILE )0