Path Slicing - PowerPoint PPT Presentation

About This Presentation
Title:

Path Slicing

Description:

Path Slicing. Presentation by Massimiliano Menarini. Ranjit Jhala and Rupak ... pcout PCf is the exit location. Ef set of edges, Ef PCf Ops PCf. Vf set of variables ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 15
Provided by: massimilia56
Learn more at: https://cseweb.ucsd.edu
Category:

less

Transcript and Presenter's Notes

Title: Path Slicing


1
Path Slicing
  • Presentation by Massimiliano Menarini

Ranjit Jhala and Rupak Majumdar, Path Slicing
PLDI 05 (June 2005, Chicago, Illinois)
2
Outline
  • Use of Path Slices
  • Model checking and counter examples
  • Control Flow Automata
  • Weakest Preconditions
  • Properties of Path Slices
  • Completeness
  • Soundness
  • Path Slice Algorithm
  • Experimental Results
  • Conclusion

3
Use of Path Slices
  • Model checking
  • Allow for the exploration of the execution space
    of an application to find some error
  • Return a counter example an execution path form
    the start state to an error state
  • Motivation for using Path Slicing techniques
  • The returned counter example can be very long
  • For example the paper presents an experiment
    where a property checked on gcc returned a 82,695
    basic blocks counter example
  • Obtain understandable counter examples
  • We are interested in only the operations that
    affect the reachability of the error state
    (potentially a fraction of the full counter
    example)

4
Example of CFA
  • Source
  • Ex()
  • 0 if(agt0)
  • 1 x1
  • 2 c0
  • 3 for(i1ilt1000i)
  • 4 ccf(i)
  • 5 if(agt0)
  • 6 if(x0)
  • ERR
  • ...
  • CFA

agt0
0
a0
1
x1
2
c0
3
i1
ilt1000
3
4
ccf(i) i
i1000
5
agt0
a0
6
x0
Err
Exit
5
Control Flow Automata
  • It is a CFG with operations on the edges and
    program counter on the vertexes
  • Formally
  • Operations (Ops) of 2 types
  • Assignment le
  • assume assume(p)
  • CFA Cf(PCf, pc0, pcout, Ef, Vf)
  • PCf is a set of locations (program counters)
  • pc0?PCf is the start location
  • pcout?PCf is the exit location
  • Ef set of edges, Ef ? PCf ? Ops ? PCf
  • Vf set of variables (?)

6
Weakest Preconditions
  • Given a logical formula j over a set of variables
    X.
  • j represents all X-states where the values of X
    satisfy j
  • The weakest precondition (WP) of j with regard to
    the operation op ? Ops (WP.j.op) is the set of
    states that can reach a state in j after
    executing op

Xa Opsa0, a1 j a1 Therefore j
identifies a1
WP.j.(a1)all WP.j.(a0)Ø
7
Example of Paths
To execute must be agt0 (j)
  • CFA

Path to pc6
Trace agt0 x1 c0 i1 i1000 agt0 Variables
a c i x
agt0
0
a0
agt0
1
0
x1
2
1
c0
x1
2
3
c0
i1
ilt1000
3
3
4
i1
ccf(i) i
i1000
3
i1000
5
agt0
Cannot execute this is an unfeasible path
a0
5
6
agt0
x0
6
Err
Exit
8
Paths and Slices
  • A path p from pc to pc is a sequence of edges of
    the CFA such that the destination of one and the
    source of the next coincide, the source of the
    first edge is pc and the destination of the last
    is pc
  • A trace is the sequence of operations on the
    edges of a path
  • A path is feasible if there is some state that
    can execute it
  • A state s can reach a location pc if there exist
    a path from pc0 to pc that can be executed by s
  • A Path Slice p is a subsequence of a path p

9
Completeness
  • p is a complete slice of p (path from pc0 to an
    error location pce) if for every s?WP.true.Tr.p
    either
  • there exist a program path p from pc0 to pce
    such that s can execute p, or
  • S cannot reach pcout
  • Therefore if there is a complete slice to an
    error location and it is feasible (therefore
    executable for some state), we are guaranteed
    that for each state that can execute the slice
    there exist an executable path that reach the
    error location

10
Soundness
  • A path slice p of p is a sound slice if
    WP.true.(Tr.p) ? WP.true.(Tr.p)
  • So a state that can execute the trace of a path
    can execute the trace if a sound slice of it

11
Example
Complete and Sound Slice
CFA
Slice
Slice
agt0
agt0
agt0
0
0
0
a0
1
1
1
x0
x0
x0
Not Sound slice The path could execute in sagt0
the slice only in sagt0, x0
2
2
2
c0
c0
c0
3
3
3
i1
ilt1000
i1
ilt1000
i1
ilt1000
3
4
3
4
3
4
ccf(i) i
ccf(i) i
ccf(i) i
i1000
i1000
i1000
5
5
5
agt0
agt0
agt0
a0
6
6
6
x0
x0
x0
Err
Exit
Err
Err
12
Path Slice Algorithm
  • Backward traversal of the CFA
  • Keep 2 information
  • lvalues set L (the set of lives values)
  • Step location pcs
  • An edge is added to the slice if
  • It assign one of the lvalues
  • If there is a branch that can bypass the current
    step
  • If there is a path from the current edge to the
    step edge that assign one of the lvalues

13
Experimental Results
  • Tested correctens of files handling in real
    programs (fcron, wuftpd, make, privoxy, ijpeg,
    openssh, gcc)
  • In average the length of the Slice was 5 of the
    length of the original trace
  • In case of longer traces the slices where much
    shorter (0.1)
  • Examples
  • Shortest trace 47 operations output 27
    operations (57)
  • Longest trace 82,695 operations output 43
    operations (less that 0.1)

14
Conclusion
  • Path Slicing is an interesting technique to
    reduce the size of a counter example
  • An linear algorithm that return a Sound and
    Complete path slice is provided
  • Implemented in the Blast model checker
  • Experimental results on real programs proved the
    benefit of that approach
  • Limitations
  • The implementation use a depth first search for
    counter examples that returns very long traces
  • Imprecise model of the heap creates problems in
    the verification of certain programs
  • Slow implementation of WrBt and By functions used
    by the algorithm, dont scale well
Write a Comment
User Comments (0)
About PowerShow.com