Symbolic Evaluation/Execution

Similar documents
ALGEBRA 2 CRA 2 REVIEW - Chapters 1-6 Answer Section

Regression Verification: Status Report

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Outline. Generalize Simple Example

Why? A central concept in Computer Science. Algorithms are ubiquitous.

Model Checking: An Introduction

µz An Efficient Engine for Fixed points with Constraints


InvGen: An Efficient Invariant Generator

Boolean Algebra Part 1

Automatic Test Data Synthesis using UML Sequence Diagrams

MA107 Precalculus Algebra Exam 2 Review Solutions

Software Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.

Solving Rational Equations

Automating Mimicry Attacks Using Static Binary Analysis

Integrating Benders decomposition within Constraint Programming

Year 9 set 1 Mathematics notes, to accompany the 9H book.

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Discrete Optimization

Static Program Transformations for Efficient Software Model Checking

PROG0101 Fundamentals of Programming PROG0101 FUNDAMENTALS OF PROGRAMMING. Chapter 3 Algorithms

CORRELATED TO THE SOUTH CAROLINA COLLEGE AND CAREER-READY FOUNDATIONS IN ALGEBRA

Higher Education Math Placement

Nonlinear Algebraic Equations. Lectures INF2320 p. 1/88

What is Linear Programming?

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

6 EXTENDING ALGEBRA. 6.0 Introduction. 6.1 The cubic equation. Objectives

Scheduling Home Health Care with Separating Benders Cuts in Decision Diagrams

CRLS Mathematics Department Algebra I Curriculum Map/Pacing Guide

Coverability for Parallel Programs

Linear Programming. March 14, 2014

ALGORITHMS AND FLOWCHARTS. By Miss Reham Tufail

CHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs

Automated Program Behavior Analysis

NSM100 Introduction to Algebra Chapter 5 Notes Factoring

Linear Programming for Optimization. Mark A. Schulze, Ph.D. Perceptive Scientific Instruments, Inc.

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

Different Approaches to White Box Testing Technique for Finding Errors

Lecture 2 Mathcad Basics

3.1 Solving Systems Using Tables and Graphs

Second Order Differential Equations with Hypergeometric Solutions of Degree Three

APPROACHES TO SOFTWARE TESTING PROGRAM VERIFICATION AND VALIDATION

Study Guide 2 Solutions MATH 111

COMPUTER SCIENCE TRIPOS

Solve addition and subtraction word problems, and add and subtract within 10, e.g., by using objects or drawings to represent the problem.

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS. + + x 2. x n. a 11 a 12 a 1n b 1 a 21 a 22 a 2n b 2 a 31 a 32 a 3n b 3. a m1 a m2 a mn b m

A Constraint Programming based Column Generation Approach to Nurse Rostering Problems

Methodology for the Generation of Program Test Data

Florida Math Correlation of the ALEKS course Florida Math 0028 to the Florida Mathematics Competencies - Upper

Rigorous Software Development CSCI-GA

Verification of Imperative Programs in Theorema

Click on the links below to jump directly to the relevant section

SYSM 6304: Risk and Decision Analysis Lecture 5: Methods of Risk Analysis

MBA Jump Start Program

TOPIC 4: DERIVATIVES

South Carolina College- and Career-Ready (SCCCR) Algebra 1

Lecture Notes on Linear Search

2.3 WINDOW-TO-VIEWPORT COORDINATE TRANSFORMATION

Integer Operations. Overview. Grade 7 Mathematics, Quarter 1, Unit 1.1. Number of Instructional Days: 15 (1 day = 45 minutes) Essential Questions

Approximation Algorithms

Grade Level Year Total Points Core Points % At Standard %

Mathematical Induction. Mary Barnes Sue Gordon

Glossary of Object Oriented Terms

Equations, Inequalities & Partial Fractions

2) Write in detail the issues in the design of code generator.

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

Introduction to Computers and Programming. Testing

Software Testing. Quality & Testing. Software Testing

The Theory of Concept Analysis and Customer Relationship Mining

March 29, S4.4 Theorems about Zeros of Polynomial Functions

MATH 60 NOTEBOOK CERTIFICATIONS

MAX = 5 Current = 0 'This will declare an array with 5 elements. Inserting a Value onto the Stack (Push)

Notes on Algorithms, Pseudocode, and Flowcharts

Examples of Tasks from CCSS Edition Course 3, Unit 5

Definition 8.1 Two inequalities are equivalent if they have the same solution set. Add or Subtract the same value on both sides of the inequality.

SMT 2014 Algebra Test Solutions February 15, 2014

MATH 90 CHAPTER 6 Name:.

SAT Math Facts & Formulas Review Quiz

Linear Algebra Notes for Marsden and Tromba Vector Calculus

Duality in General Programs. Ryan Tibshirani Convex Optimization /36-725

A NEW LOOK AT CONVEX ANALYSIS AND OPTIMIZATION

Algebra Unpacked Content For the new Common Core standards that will be effective in all North Carolina schools in the school year.

LAKE ELSINORE UNIFIED SCHOOL DISTRICT

Numerical methods for American options

Software Testing & Verification 2013/2014 Universiteit Utrecht

Linear Programming. April 12, 2005

Series and Parallel Resistive Circuits

Multichoice Quetions 1. Atributes a. are listed in the second part of the class box b. its time is preceded by a colon. c. its default value is

Arithmetic Coding: Introduction

Verification of Network Management System Configurations

COMPETENCY TEST SAMPLE TEST. A scientific, non-graphing calculator is required for this test. C = pd or. A = pr 2. A = 1 2 bh

ABCD: Eliminating Array Bounds Checks on Demand

Efficient Data Structures for Decision Diagrams

Enhancing ECA Rules for Distributed Active Database Systems

Roots of Polynomials

constraint. Let us penalize ourselves for making the constraint too big. We end up with a

Answer Key for California State Standards: Algebra I

Scheduling Shop Scheduling. Tim Nieberg

Algorithm & Flowchart & Pseudo code. Staff Incharge: S.Sasirekha

12.6 Logarithmic and Exponential Equations PREPARING FOR THIS SECTION Before getting started, review the following:

Transcription:

Symbolic Evaluation/Execution

Today s Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35.

Symbolic Evaluation/Execution Creates a functional representation of a path of an executable component For a path Pi D[Pi] is the domain for path Pi C[Pi] is the computation for path Pi

Functional Representation of an Executable Component P : X Y P P is composed of partial functions corresponding to the executable paths P = {P 1,...,P r } P i : X i Y

Functional Representation of an Executable Component X i is the domain of path P i Denoted D[ P i ] P i X i P j X j P k X k X l P l X = D[P 1 ]... D[P r ] = D[P] D[P i ] D[P j ] = Ø, i j

Representing Computation Symbolic names represent the input values the path value PV of a variable for a path describes the value of that variable in terms of those symbolic names the computation of the path C[P] is described by the path values of the outputs for the path

Representing Conditionals an interpreted branch condition or interpreted predicate is represented as an inequality or equality condition the path condition PC describes the domain of the path and is the conjunction of the interpreted branch conditions the domain of the path D[P] is the set of imput values that satisfy the PC for the path

Example program procedure Contrived is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; else 4 Z := 0; endif; 5 if Y > 0 then 6 Y := Y + 5; endif; 7 if X - Y < 0 then 8 write Z; else 9 write Y; endif; end Contrived; Stmt PV PC 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,6 Y y+5 x 3 y>0 7,9 x 3 y>0 x-(y+5) 0 = x 3 y>0 (x-y) 5

Presenting the results Statements PV PC procedure Contrived is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; else 4 Z := 0; endif; 5 if Y > 0 then 6 Y := Y + 5; endif; 7 if X - Y < 0 then 8 write Z; else 9 write Y; endif end Contrived 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,6 Y y+5 x 3 y>0 7,9 x 3 y>0 x-(y+5) 0 = x 3 y>0 (x-y) 5 P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) x 3 y>0 x-y 5} C[P] = PV.Y = y +5

Results (feasible path) y x 3 (x-y) 5 y>0 x P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) x 3 y>0 x-y 5} C[P] = PV.Y = y +5

Evaluating another path procedure Contrived is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; else 4 Z := 0; endif; 5 if Y > 0 then 6 Y := Y + 5; endif; 7 if X - Y < 0 then 8 write Z; else 9 write Y; endif; end Contrived; Stmts PV PC 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,7 x 3 y 0 7,8 x 3 y 0 x-y < 0

procedure EXAMPLE is X, Y, Z : integer; 1 read X, Y; 2 if X 3 then 3 Z := X+Y; else 4 Z := 0; endif; 5 if Y > 0 then 6 Y := Y + 5; endif; 7 if X - Y < 0 then 8 write Z; else 9 write Y; endif end EXAMPLE Stmts PV PC 1 X x true Y y 2,3 Z x+y true x 3 = x 3 5,7 x 3 y 0 7,8 x 3 y 0 x-y < 0 P = 1, 2, 3, 5, 7, 8 D[P] = { (x,y) x 3 y 0 x-y<0} infeasible path!

Results (infeasible path) y x 3 (x-y) < 0 y 0 x

what about loops? Symbolic evaluation requires a full path description 4 1 2 3 Example Paths P= 1, 2, 3, 5 P= 1, 2, 3, 4, 2, 3, 5 P= 1, 2, 3, 4, 2, 3, 4, 2, 3, 5 Etc. 5

Symbolic Testing Path Computation provides [concise] functional representation of behavior for entire Path Domain Examination of Path Domain and Computation often useful for detecting program errors Particularly beneficial for scientific applications or applications w/o oracles

Simple Symbolic Evaluation Provides symbolic representations given path Pi path condition PC = path domain D[Pi] ={(x1, x1,...,x1) pc true } path values PV.X1= path computation C[Pi] = P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) x 3 y>0 x-y 5} C[P] = PV.Y = y +5

Additional Features: Simplification Path Condition Consistency Fault Detection Path Selection Test Data Generation

Simplification Reduces path condition to a canonical form Simplifier often determines consistency PC = ( x >= 5 ) and ( x < 0 ) May want to display path computation in simplified and unsimplified form PV.X = x + (x +1) + (x + 2) + (x + 3) = 4 * x + 6

Path Condition Consistency strategy = solve a system of constraints theorem prover consistency algebraic, e.g., linear programming consistency and find solutions solution is an example of automatically generated test data... but, in general we cannot solve an arbitrary system of constraints!

Fault Detection Implicit fault conditions E.g. Subscript value out of bounds E.g. Division by zero e.g., Q:=N/D Create assertion to represent the fault and conjoin with the pc Division by zero assert(divisor 0) Determine consistency PC P and (PV.divisor = 0) if consistent then error possible Must check the assertion at the point in the path where the construct occurs

Checking user-defined assertions example Assert (A > B) PC and (PV.A) PV.B) if consistent then assertion not valid

Comparing Fault Detection Approaches assertions can be inserted as executable instructions and checked during execution dependent on test data selected (dynamic testing ) use symbolic evaluation to evaluate consistency dependent on path, but not on the test data looks for violating data in the path domain

Additional Features: Simplification Path Condition Consistency Fault Detection Path Selection Test Data Generation

Path Selection User selected Automated selection to satisfy some criteria e.g., exercise all statements at least once Because of infeasible paths, best if path selection done incrementally

Incremental Path Selection PC and PV maintained for partial path Inconsistent partial path can often be salvaged T X>0 PC F pc = pc and (x 0) pc = pc and (x>3) = pc and (x 0) and (x>3) INCONSISTENT! infeasible path T X>3 F pc = pc and (x 3) = pc and (x 0) and (x 3) CONSISTENT [if pc is consistent]

Path Selection (continued) Can be used in conjunction with other static analysis techniques to determine path feasibility Testing criteria generates a path that needs to be tested Symbolic evaluation determines if the path is feasible Can eliminate some paths from consideration

Additional Features: Simplification Path Condition Consistency Fault Detection Path Selection Test Data Generation

Test Data Generation Simple test date selection: Select test data that satisfies the path condition pc Error based test date selection Try to select test cases that will help reveal faults Use information about the path domain and path values to select test data e.g., PV.X = a * (b + 2); a = 1 combined with min and max values of b b = -1 combined with min and max values for a

Enhanced Symbolic Evaluation Capabilities Creates symbolic representations of the Path Domains and Computations Symbolic Testing Determine if paths are feasible Automatic fault detection system defined user assertions Automatic path selection Automatic Test Data Generation

An Enhanced Symbolic Evaluation System component User input Path Selection fault conditions Detect inconsistency Symbolic Execution path condition Simplifier path values Detect inconsistency Inequality Solver simplified path values fault report path domain test data path computation

Problems Information explosion Impracticality of all paths Path condition consistency Aliasing elements of a compound type e.g., arrays and records pointers

Alias Problem A(2) := 5 read I, A(I) Indeterminate subscript X := A(2) Y:=A(I) I > 2 Z:=A(I) constraints on subscript value due to path condition

Escalating problem Read I X := A[I] PV.X = unknown Y := X + Z PV.Y = unknown + PV.Z = unknown

Can often determine array element I:= 0 I 3 Y:=A(I) I:= I+1. subscript value. is constant.

Symbolic Evaluation Approaches symbolic evaluation With some enhancements Data independent Path dependent dynamic symbolic evaluation Data dependent--> path dependent global symbolic evaluation Data independent Path independent

Dynamic Symbolic Execution Data dependent Provided information Actual value: X := 25.5 Symbolic expression: X := Y * (A + 1.9); Derived expression: X = (25.5) Y * (5.1) + A (3.1) 1.9

Dynamic Analysis combined with Symbolic Execution Actual output values Symbolic representations for each path executed path domain path computation Fault detection data dependent path dependent (if accuracy is available)

Dynamic Symbolic Execution Advantages No path condition consistency determination No path selection problem No aliasing problem (e.g., array subscripts) Disadvantages Test data selection (path selection) left to user Fault detection is often data dependent Applications Debugging Symbolic representations used to support path and data selection

Symbolic Evaluation Approaches simple symbolic evaluation dynamic symbolic evaluation global symbolic evaluation Data and path independent Loop analysis technique classifies paths that differ only by loop iterations Provides global symbolic representation for each class of paths

Global Symbolic Evaluation Loop Analysis creates recurrence relations for variables and loop exit condition solution is a closed form expression representing the loop then, loop expression evaluated as a single node

Global Symbolic Evaluation 1 2 s 4 5 6 7 8 f 3 2 classes of paths: P 1 :(s,(1,2),4,(5,(6,7),8),f) P 2 : (s,3,4,(5,(6,7),8),f) global analysis case D[P 1 ]: C[P 1 ] D[P 2 ]: C[P 2 ] Endcase analyze the loops first consider all partial paths up to a node

Loop analysis example read A, B Area := 0 X := A X B f t write AREA AREA:= AREA+A X:= X+1

Loop Analysis Example Recurrence Relations AREA k =AREA k-1 + A 0 X k =X k-1 + 1 Loop Exit Condition lec(k)= (X k > B 0 ) X B T AREA:= AREA+A X:= X+1

Loop Analysis Example (continued) solved recurrence relations AREA(k) = AREA 0 + X(k) = X 0 + k solved loop exit condition lec(k) = (X 0 + k > B 0 ) loop expression X Σ 0 + k - 1 i = X 0A 0 k e = min {k X 0 + k > B 0 and k 0} AREA : = AREA 0 + X : = X 0 +k e X + k e -1 0 Σ 0 i = X A 0

loop expression k e = min {k X 0 + k > B 0 and k 0} AREA : = AREA 0 + X : = X 0 +k e global representation for input (a,b) X 0 = a, A 0 =a, B 0 = b, AREA 0 = 0 a + k e > b ==> k e > b - a K e = b - a +1 X = a +(b-a+1) = b+1 X Σ 0 +k e -1 A 0 i = X 0 AREA = = (b-a+1) a Σb i = a a write AREA read A,B AREA :=0 X :=A

Loop analysis example read A, B Area:= 0 X:= A X B f t write AREA AREA:= AREA+A X:= X+1

Find path computation and path domain for all classes of paths P1 = (1, 2, 3, 4, 7) D[P1] = a > b C[P1] = (AREA=0) and (X=a) read A,B AREA :=0 X :=A X B write AREA

Find path computation and path domain for all classes of paths P2 = (1, 2, 3, 4, (5, 6), 7) D[P2] = (b>a) C[P2] = (AREA = (b-a+1) a ) k e =b - a +1 X : = b + 1 read A, B X 0 = a B 0 = b A 0 = a K e = b - a +1 X = b+1 AREA = (b-a+1) a Area:= 0 X:= A f X B t write AREA AREA:= AREA+A X:= X+1

Example procedure RECTANGLE (A,B: in real; H: in real range -1.0... 1.0; F: in array [0..2] of real; AREA: out real; ERROR: out boolean) is -- RECTANGLE approximates the area under the quadratic equation -- F[0] + F[1]*X + F[2]*X**2 From X=A to X=B in increments of H. s begin X,Y: real; --check for valid input 1 if H > B - A then 2 ERROR := true; else 3 ERROR := false; 4 X := A; 5 AREA := F[0] + F[1]*X + F[2]*X*2; 6 while X + H B loop 7 X := X + H; 8 Y := F[0] + F[1]*X + F[2]*X**2; 9 AREA := AREA + Y; end loop; 10 AREA := AREA*H; endif; end RECTANGLE

s H > B - A 1 ERROR := true; 2 ERROR := false; X := A; 3 4 AREA := F[0] + F[1]*X + F[2]*X**2 5 X + H B 6 X := X + H; 7 Y := F[0] + F[1]*X + F[2]*X**2; 8 AREA := AREA + Y; 9 AREA := AREA*H 10 f

Symbolic Representation of Rectangle P 1 (s,1,2,f) s D[P 1 ] (a - b + h > 0.0) H > B - A 1 C[P 1 ] AREA =? ERROR = true ERROR := true; 2 ERROR := false; 3 P 2 (s,1,3,4,5,6,10,f) X := A; 4 D[P 2 ] (a - b + h <= 0.0) and (a - b + h > 0.0) AREA := F[0] + F[1]*X + F[2]*X**2 5 = = false *** infeasible path *** X + H B 6 P 3 (s,1,3,4,5,(6,7,8,9),10,11,f) X := X + H; 7 D[P 3 ] (a-b+h <= 0.0) Y := F[0] + F[1]*X + F[2]*X**2; 8 C[P 3 ] AREA = a*f[1]*j+2.0*a*f[2]*h+f[0]*h +sum < i :=1... int (-a/h+b/h) AREA := AREA + Y; 9 (a*f[1]*h+a**2*f[2]*h +2.0*a*f[2]*h**2*i+f[0]*h +f[1]*h**2*i+f[2]*h**3*i**2) > AREA := AREA*H 10 ERROR = false f

Global Symbolic Evaluation Advantages global representation of routine no path selection problem Disadvantages has all problems of Symbolic Execution PLUS inability to solve recurrence relations (interdependencies, conditionals) Applications has all applications of Symbolic Execution plus Verification Program Optimization

Why hasn t symbolic evaluation become widely used? expensive to create representations expensive to reason about expressions imprecision of results current computing power and better user interface capabilities may make it worth reconsidering

Partial Evaluation Similar to (Dynamic) Symbolic Evaluation Provide some of the input values If input is x and y, provide a value for x Create a representation that incorporates those values and that is equivalent to the original representation if it were given the same values as the preset values P(x, y) = P (x, y)

Partial Evaluator static input program Partial evaluator Dynamic input Specialized program output

Why is partial evaluation useful? In compilers May create a faster representation E.g., if you know the maximum size for a platform or domain, hardcode that into the system More than just constant propagation Do symbolic manipulations with the computations

Example with Ackermann s function A(m,n) = if m = 0 then n+1 else if n = 0 then A(m-1, 1) else A(m-1,A(m,n-1)) A0(n) = n+1 A1(n) = if n = 0 then A0(1) else A0(A1(n-1)) A2(n) = if n = 0 then A1(1) else A1(A2(n-1))

Specialization using partial evaluation A(2) := 5 read I, A(I) I > 2 A(2) := 5 Y:=A(I) Z:=A(2) read I, A(I) I>2? I=2 Y:=A(I) Z:=5 I<2 Z:=eval(A(2))

Why is Partial Evaluation Useful in Analysis Often can not reason about dynamic information Instantiates a particular configuration of the system that is easier to reason about E.g., the number of tasks in a concurrent system; the maximum size of a vector Look at several configurations and try to generalize results Induction Often done informally

Reference on Partial Evaluation Neil Jones, An Introduction to Partial Evaluation, ACM Computing Surveys, September 1996

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information