PatriceGodefroid,AdityaV.Nori,SriramK.RajamaniMicrosoftResearch

SaiDeepTetaliUCLosAngeles

  QuestionDoestheassertionholdforallpossibleinputs?

Mustanalysis:findsbugs,butcan’tprovetheirabsenceMayanalysis:canprovetheabsenceofbugs,butcanresultinfalseerrors

  Mayanalysis=predicateabstraction(SLAM)

  Mustanalysis=symbolicexecution+tests(DART)

  CompositionalMay‐Mustanalysis:  Interproceduralanalysis  Memoizeandre‐usemay/mustsummaries  Allowsfine‐grainedcouplingandalternation

SMASH ≫ Compositional-May || Compositional-Must!

void f() { 0: *p = 4; 1: *q = 5; }

test

proof

0

1

2

1

void f() { 0: *p = 4; 1: *q = 5; }

7

0

1

2

4

6

7

3

5

2

0

1

2

4

6

7

3

5

2

0

1

2

4

6

7

3

5

frontier

0

1

2

4

6

7

3

5

frontier

0

1

2

4

6

7

3

5

2

frontier

must summary

•  Generatepoststatesbyusingmustsummaries

must summary

must summary

0

1

2

4

6

7

3

5

0

1

2

4

6

7

3

5

2

0

1

2

4

6

7

3

5

frontier

must summary

0

1

2

4

6

7

3

5

frontier

must summary

0

1

2

4

6

7

3

5

2

frontier

must

must must must must

must must

must must

  TheSMASHimplementationisadeterministicrealizationofthedeclarativerules

  InputCprogramisfirstabstractlyinterpreted  Nopointerarithmetic‐‐*(p+i) istreatedas*p   Logicencoding‐‐propositionallogic,lineararithmeticanduninterpretedfunctions

  Theoremprover:Z3

Wehaveunleashedthepowerofalternation!

Statistics Dash

SMASH

0 39

0 12

Numberofproofs 2176 2228

Numberofbugs 64 64 Time‐outs 61 9 Time(hours) 117 44

69 drivers(342000LOC)and85properties

  SMASHisaunifiedframeworkforcompositionalmay‐mustprogramanalysis

  WehaveexplainedSMASHinthecontextofexistinganalyses(SLAM,DART,Synergy/Dash…)inthearea

  EmpiricalevaluationshowsthatSMASH cansignificantlyoutperformmay‐only,must‐onlyandnon‐compositionalmay‐mustalgorithms

http://research.microsoft.com/yogi