1 / 11

Enhancing Path Sensitivity Analysis via Boolean Satisfiability Techniques

This work explores the application of Boolean satisfiability (SAT) methods for path-sensitive analysis, addressing issues in software verification, artificial intelligence, and more. Traditional SAT involves solving classic NP-complete problems using tools like Chaff and Grasp. Our approach focuses on eliminating false positives and reasoning about values in complex programs, identifying integer overflows, buffer overruns, and off-by-one errors. We also discuss modeling properties, translating expressions, and control flow transformations, highlighting future work on optimizing transitions and cases in path sensitivity.

starbuck
Télécharger la présentation

Enhancing Path Sensitivity Analysis via Boolean Satisfiability Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Boolean Satisfiability for Path Sensitive Analysis Yichen Xie, Andy Chou

  2. SAT • Classic NP-complete problem • Backend for many tools in verification, AI, etc. • Much recent work: • Chaff / Grasp / SATO / GSAT • SAT problem P = conjunction of clauses • Clause = Disjunction of literals • Literal = v orv • Example: (x  y)  (x  y) • A is a satisfying assignment if P(A) = true

  3. Motivation • Eliminate false positives from false paths • Reasoning about values • Integer overflows • Buffer overruns • Off-by-one errors • Branch correlations / Path sensitivity • Take advantage of SAT solver improvements

  4. Modeling Properties if(x) lock(l); if(x) unlock(l); if(x) { assert(l == unlocked); l = locked } if(x) { assert(l == locked); l = unlocked; }

  5. Translating Expressions • X => [x31 x30 …x0] • Expressions: Build circuit for operations • X != 0 => x31x30 …  x0 • X == 0 => (x31x30 …  x0) • X == Y => (x31=y31 …  x0=y0) • Addition: ripple-carry adder • Multiply by constant: Booth’s algorithm • Negative numbers: 2’s complement • Bit operations easy • Captures effect of overflow

  6. Translating Statements • SSA Transformation Table T(v) = vi • Assignment T[e] => E T’ = Rename(x, T) T[x = e] => (T’(x) = E), T’

  7. Translating Control Flow • Similar to verification condition generation • See the ESC/Java paper we read • Build path expression (regular expression of edges in CFG) • Translate path expression • Sequence => AND • Branch => OR • Loop => Desugar and unroll

  8. Demo

  9. Related Work • Metal - adds path sensitivity • ESC • simpler slicing, variable renaming • interprocedural • annotations optional • SLAM/Lazy Abstraction • no iteration; guaranteed to converge • no need to “discover” predicates • SAT > Model checking

  10. Related Work • ESP • Catch more than constants • Prefix • Sound • Simultaneously simulate all paths • Model Checking • Eats too much memory for many problems

  11. Future Work • Slice w.r.t. transitions • Only extract variables that influence transitions • Unroll loops & recursion enough times to get all possible transitions

More Related