boolean programs: a model and process for software analysis by thomas ball and sriram k. rajamani...

Boolean Programs: A Model and Process For Software

AnalysisBy Thomas Ball and Sriram K. Rajamani

Microsoft technical paper MSR-TR-2000-14

Presented by Yunho KimProvable Software Lab, KAIST

Contents

Boolean Programs: A Model and Process For Software Analysis, Yunho Kim, Provable Software Lab, KAIST 2/22

• Introduction

• Constructing Boolean programs

• Checking feasibility

• Conclusion

• The choice of a model for software is a fundamen-tal issue in model checking of software

• The followings are key points of a good model– A representation R of the model is analogous to the fi-

nite state machine(FSM), and has efficient algorithms to model check R

– The model checking algorithms on R reports the short-est trace to an error

– Programming languages such as C, C++, Java have translations into R

Introduction


• Boolean programs is a good representation for software model checking

Introduction


Program P Boolean program B of P

numUnits: int; level: int; void getUnit(){[1] canEnter: bool := F;[2] if (numUnits = 0){[3] if (level > 10){[4] newUnit();[5] numUnits := 1;[6] canEnter := T; } } else[7] canEnter := T;

[8] if (canEnter)[9] if (numUnits = 0)[10] assert(F); else[11] gotUnit(); }

nU0: bool;

void getUnit(){[1] cE: bool := F;[2] if (nU0){[3] if(?){[4] skip;[5] nU0 := F;[6] cE := T; } } else[7] cE := T;

[8] if (cE)[9] if (nU0)[10] skip; else[11] skip;

• All variables in Boolean programs have Boolean type

• Each Boolean variable in B corresponds to an Boolean expression in P

• P and B have the same control structure

• The X programming language is a simple imperative lan-guage with procedures, assignments, if, while and asserts

• The type of a variable in the X language ranges over inte-gers, finite enumerations and three-valued type– From now on, Boolean type extends to three-valued logic

• Kleene’s three-valued interpretation of Æ, Ç and :

Introduction


Æ true false ?true true false ?false false false false

? ? false ?

Ç true false ?true true true truefalse true false ?

? true ? ?

:true falsefalse true

? ?

Introduction


• Overview of SLAM process

Constructing Boolean program

Modelchecking

Eliminating infeasible

path pFeasi-ble?

Program PSpec φ

Infeasible path p

φ false +

counterexam-ple

φ true

Today’s focus: Constructing Boolean program and feasibility check

Boolean program B

Error trace p

Contents


• Introduction



• Conclusion

Constructing Boolean pro-grams


• For simplicity, we assume that all programs are in X-normal form

• An X program P is in X-normal form if all the follow-ings hold– Every assert statement in P is followed by a skip state-

ment– All Boolean expressions in if and while statements of P

are ?– All assignment statements in P assign to a single variable

X program X-normal formif(e) {A} else {B}

if(?) { assert(e);skip;A} else { assert(!e);skip;B }

while(e){S} while(?) { assert(e);skip;S } as-sert(!e);skip;



• B(P,E) is a Boolean program of P with respect to E– P is a X program in X-normal form

• Let E = {e1, e2, , en } be a set of Boolean expres-sions over variables in P and constants in X

• Let VB = {b1, b2, , bn} be a set of Boolean vari-ables in B(P,E)– Let E(bi) denote the corresponding Boolean expression ei

• Each statement s in P is transformed to a corre-sponding statement in B(P,E) except for asserts– An assert statement is transformed to two statements in

B(P,E)



• Translation tables into B(P,E)

• I(s, e) denotes the truth value for the Boolean variable b corresponding to e, after executing statement s

• F(e) denotes the weakest disjunction of minterms over VB s.t. the corresponding expression of F(e) implies e

Statement(s) in P Translation in B(P,E)[i] if(?) [i] if(?)[i] while(?) [i] while(?)[i] x := e [i] b1, , bn := I(x:=e, e1), , I(x:=e, en)[i] assert(e)[j] skip

[i] assert(!(F(!e))[j] b1, , bn := I(assert(e), e1), , I(assert(e), en)

[i] skip [i] skip



• Then, how can we find the result of I(s, e), the truth value of e after execution of s?– The answer is the weakest precondition!

WP (x:=e, f) = f[x Ã e]WP (assert(e),f) = e ) f

• Let F(e) denote the largest disjunction of minterms over VB s.t. E(F(e)) ) e– Minterm is a logical expression consisting of only the conjunction and

complement operator– Intuitively, E(F(e)) is the weakest expression over E that implies e

• E(F(WP(s,e))) is the weakest precondition over E– If E(F(WP(s,e))) is true, then after executing s, e becomes true– If E(F(WP(s,!e))) is true, then after executing s, e becomes false



• Example• E = {(x=1), (x=2), (x·3)} and VB = {b1, b2, b3}

– E(b1) = (x=1), E(b2) = (x=2), E(b3) = (x·3)• The statement s is x := x+1

e = (x=1) e = (x=2) e = (x·3)WP(x:=x+1,e) x = 0 x = 1 x · 2

F(WP(x:=x+1,e) False b1 b1 Ç b2

E(F(WP(x:=x+1,e))) False x = 1 x = 1 Ç x = 2WP(x:=x+1,!e) x 0 x 1 x ¸ 3

F(WP(x:=x+1,!e) b1 Ç b2 Ç !b3 !b1 Ç b2 Ç !b3 !b3

E(F(WP(x:=x+1,!e)))

x=1 Ç x=2 Ç x > 3

x 1 Ç x=2 Ç x > 3

x > 3



• There is a difference between assert(F(e)) and assert(!F(!e))– F(e) ) e ) !F(!e)

• Example• E = {(x<y), (y<z)} and VB = {b1, b2}

– E(b1) = (x<y), E(b2) = (y<z)– e = (x<z)

E(F(e)) e E(!F(!e)) E(F(!e)) !e E(!F(e))Expression over

Ex<y Æ

y<zx<z x<y Ç

y<zx¸y Æ y¸z x ¸ z x¸y Ç y¸z

(x,yz) = (1,2,3) True True True False False False(x,y,z) = (1,3,2) False True True False False True(x,y,z) = (1,3,0) False False True False True True(x,y,z) = (3,2,1) False False False True True True

Contents


• Introduction



• Conclusion

Checking Feasibility


• Feasibility checking checks whether a given error trace ¼ in B(P,E) is a trace p in P– By using the modified strongest postcondition

• The modified strongest postcondition uses a context instead of a expression– instead of SP(f, x:=e)

• A context is a triple– is the current valuation to variables in p and called store. – ¦ is a set called the history which represents the past valuations to

variables in p– © is a set of Boolean expressions called conditions which represents

the constraints introduced by assert statements

SP (< ; ¦ ;©>;x := e)

< ;¦ ;©>



• Let V(p) be the set of variables appeared in p• Let Exp denote the set of expressions over £(p) and the constants

in X– £(p) = {µx,p | x 2 V(p)} is a set of symbolic constants in a one-to-one

correspondence with the variables of V(p)

• A context is a triple formally defined as – is a partial function V(p) ! Exp – ¦ µ V(p) £ Exp – © is a set of Boolean expressions from Exp

• Example

< ;¦ ;©>

p ¦ ©assert(b>0

)<b, µb,p> µb,p > 0

b := b+1 <b, µb,p +1>

<b, µb,p> µb,p > 0



• The strongest postcondition SP maps a context and a state-ment to a new context

– Given a store and a set of variables X µ V(p), let undef( , X) = {<x, µx,p> | x 2 X, not defined}

– Updates the current valuation of x and stores old value in the history ¦

– Updates the condition © only

• Initial context is <, , >

• p is feasible iff all conditions Æc 2 © c is satisfiable

(x)



• Example

• This trace is infeasible because (µb,p>0) ) (2µb,p (µb,p-1))

p ¦ ©assert(b>0) <b, µb,p> µb,p>0c := b+b <b, µb,p>,<c, 2µb,p> µb,p>0a := b <a, µb,p>,<b, µb,p>,<c,

2µb,p>µb,p>0

a := a-1 <a, µb,p-1>,<b, µb,p>,<c, 2µb,p>

<a, µb,p> µb,p>0

assert(a<b) <a, µb,p-1>,<b, µb,p>,<c, 2µb,p>

<a, µb,p> µb,p>0, µb,p -1 < µb,p

assert(c=a) <a, µb,p-1>,<b, µb,p>,<c, 2µb,p>

<a, µb,p> µb,p>0, µb,p -1 < µb,p, 2µb,p = (µb,p-1)

Eliminating infeasible paths


• To eliminate infeasible paths in a Boolean pro-gram, we need to refine the Boolean program

• Let C(<x,e>) denote the Boolean expression(x=e) and extend to a set of pairs

• Then, E = C( ) [ C(¦) [ © is sufficient set of condi-tions to make p feasible in B(P,E)

Contents


• Introduction



• Conclusion

Conclusion


• A boolean program is a good representation of software model checking

• The transformation to Boolean program uses the weakest precondition

• Symbolic path simulator using the strongest post-condition checks the feasibility of a given trace

Reference


• Boolean Programs: A Model and Process For Software Analy-sisby Thomas Ball and Sriram K. Rajamaniin Microsoft Technical Report, MSR-TR-2000-14

boolean programs: a model and process for software analysis by thomas ball and sriram k. rajamani...

Documents