Post on 05-Jan-2016
transcript
CSV 889: Concurrent Software Verification
Subodh SharmaIndian Institute of Technology Delhi
Symbolic Execution
Runtime Verification vs Symbolic Execution
Courtesy: Zvonimir slides from sv 2012 course
Key developements
• King, CACM 1976
• Still an active area of research– CUTE [UIUC]– KLEE [Stanford]– Java Path Finder [NASA] ...
Nuts and Bolts of Symbolic Execution
• Treat values of variables as symbolic• For “program path” collect constraints over
symbolic expressions– Known as “Path Conditions”
• Check feasibility at branches– By using either SAT or SMT tools – Could be used for pruning infeasible paths
• Fork and proceed
Example I
Concrete execution x = 3, y = 2
Example I
Symbolic execution x = a, y = b
Problems with Symbolic Execution
• Constraints– Linear arithmetic– nonlinear – higher order functions– unknown data structure invariants
Example II
Courtesy: S. Anand, 2009
What constraints to generate for data structure updates?
Example II
Courtesy: S. Anand, 2009
Use data structure invariants
Example II
Courtesy: S. Anand, 2009
Use data structure invariants
Dealing with Functions
Goal: Find an input to crash the program
What is the total number of program paths leading to error()?
Key idea is to compute function summaries!
Courtesy: S. Anand, 2009
Dealing with Functions
Courtesy: S. Anand, 2009
Summary
• TODAY: Basics of Symbolic Execution and the problems with it
• NEXT CLASS: State-of-the-art Symbolic execution engines (KLEE, CUTE) + Handling Concurrency