Upload File

overapproximating program paths using fol formula€¦overapproximating program paths using fol...

  • Home
  • Documents
  • Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10
53
Overapproximating Program Paths using FOL Formula Jan Strejˇ cek and Marek Trt´ ık 1/10

Upload: ngotruc

Post on 30-Sep-2018

219 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Overapproximating Program Paths using FOL Formula

Jan Strejcek and Marek Trtık

1/10

Page 2: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

1 Motivation

2 Our heuristic

3 Z3 performance

4 Experimental Results

2/10

Page 3: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Motivation

1

2

a = 0

3

i = 0

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

7

i >= n

8

a > 12

> 2232

paths

(1) Relax exact interleaving of paths through a loop.(2) Express variables as functions of path counters.

3/10

Page 4: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Motivation

1

2

a = 0

3

i = 0

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

7

i >= n

8

a > 12

> 2232

paths

(1) Relax exact interleaving of paths through a loop.(2) Express variables as functions of path counters.

3/10

Page 5: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Motivation

1

2

a = 0

3

i = 0

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

7

i >= n

8

a > 12

> 2232

paths

(1) Relax exact interleaving of paths through a loop.(2) Express variables as functions of path counters.

3/10

Page 6: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Motivation

1

2

a = 0

3

i = 0

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

7

i >= n

8

a > 12

> 2232

paths

(1) Relax exact interleaving of paths through a loop.

(2) Express variables as functions of path counters.

3/10

Page 7: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Motivation

1

2

a = 0

3

i = 0

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

7

i >= n

8

a > 12

> 2232

paths

(1) Relax exact interleaving of paths through a loop.(2) Express variables as functions of path counters.

3/10

Page 8: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 9: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i→ i i→ i + 1a→ a a→ a + 1

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 10: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i→ i i→ i + 1a→ a a→ a + 1

i(κ1) = κ1 + i

i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 11: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i→ i i→ i + 1a→ a a→ a + 1

i(κ1) = κ1 + i

i(κ2) = κ2 + i

a(κ1) = κ1 + a

a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 12: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i→ i i→ i + 1a→ a a→ a

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 13: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

Merging counter functions.

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + i

a(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 14: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

Merging counter functions.

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 15: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 16: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 17: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 18: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 19: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 20: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 21: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

3

4

i < n

5

A[i]==1

6

A[i]!=1

++a

++i

i(κ1) = κ1 + i i(κ2) = κ2 + ia(κ1) = κ1 + a a(κ2) = a

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + a

ϕ~κ ≡ ∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧

τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) = 1)) ∧∀τ2 (0 ≤ τ2 < κ2 →

∃τ1 (0 ≤ τ1 ≤ κ1 ∧τ1 + τ2 + i < n ∧ A(τ1 + τ2 + i) 6= 1))

4/10

Page 22: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ

[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 23: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + aϕ~κ

[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 24: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2 + ia(κ1) = κ1 + aϕ~κ

[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 25: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1 + aϕ~κ

[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 26: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1 + aϕ~κ

[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 27: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ

[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 28: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 29: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 30: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 31: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 32: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 33: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Our heuristic

1

2

a = 0

3

i = 0

7

i >= n

8

a > 12

i(κ1, κ2) = κ1 + κ2a(κ1) = κ1ϕ~κ[i/0, a/0]

ϕ ≡ ∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

ϕ~κ[i/0, a/0] ∧κ1 + κ2 ≥ n ∧κ1 > 12))

5/10

Page 34: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← true

DART:

Initialization =Next input =

Tools:

Klee, Exe, Pex, Sage

6/10

Page 35: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← ϕ

DART:

Initialization =Next input =

Tools:

Klee, Exe, Pex, Sage

6/10

Page 36: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← ϕ

DART:

Initialization = random

Next input =

Tools:

Klee, Exe, Pex, Sage

6/10

Page 37: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← ϕ

DART:

Initialization = model of ϕ

Next input =

Tools:

Klee, Exe, Pex, Sage

6/10

Page 38: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← ϕ

DART:

Initialization = model of ϕNext input = model of ϕ

Tools:

Klee, Exe, Pex, Sage

6/10

Page 39: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← ϕ

DART:

Initialization = model of ϕNext input = model of ϕ ∧ ϕ

Tools:

Klee, Exe, Pex, Sage

6/10

Page 40: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Usage of the heuristic

Symbolic execution:

PC ← ϕ

DART:

Initialization = model of ϕNext input = model of ϕ ∧ ϕ

Tools:

Klee, Exe, Pex, Sage

6/10

Page 41: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) = 1)) ∧

∀τ2 (0 ≤ τ2 < κ2 →∃τ1 (0 ≤ τ1 ≤ κ1 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

(1) ϕ −→ true | ϕ(∅) ∨ ϕ(2) ϕ(V ) −→ γ(V ) | ∃x (0 ≤ x ∧ ψ(V ∪ {x}) ∧ ϕ(V ∪ {x}))

(3) ψ(V ∪{y}) −→ true | ∀x (0 ≤ x < y → ρ(V ∪{x , y}))∧ψ(V ∪{y})(4) ρ(V ∪ {y}) −→ ϕ(V ∪ {y}) | ∃x (0 ≤ x ≤ y ∧ ρ(V ∪ {x , y}))

7/10

Page 42: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) = 1)) ∧

∀τ2 (0 ≤ τ2 < κ2 →∃τ1 (0 ≤ τ1 ≤ κ1 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

(1) ϕ −→ true | ϕ(∅) ∨ ϕ(2) ϕ(V ) −→ γ(V ) | ∃x (0 ≤ x ∧ ψ(V ∪ {x}) ∧ ϕ(V ∪ {x}))

(3) ψ(V ∪{y}) −→ true | ∀x (0 ≤ x < y → ρ(V ∪{x , y}))∧ψ(V ∪{y})(4) ρ(V ∪ {y}) −→ ϕ(V ∪ {y}) | ∃x (0 ≤ x ≤ y ∧ ρ(V ∪ {x , y}))

7/10

Page 43: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) = 1)) ∧

∀τ2 (0 ≤ τ2 < κ2 →∃τ1 (0 ≤ τ1 ≤ κ1 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

(1) ϕ −→ true | ϕ(∅) ∨ ϕ(2) ϕ(V ) −→ γ(V ) | ∃x (0 ≤ x ∧ ψ(V ∪ {x}) ∧ ϕ(V ∪ {x}))

(3) ψ(V ∪{y}) −→ true | ∀x (0 ≤ x < y → ρ(V ∪{x , y}))∧ψ(V ∪{y})(4) ρ(V ∪ {y}) −→ ϕ(V ∪ {y}) | ∃x (0 ≤ x ≤ y ∧ ρ(V ∪ {x , y}))

7/10

Page 44: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) = 1)) ∧

∀τ2 (0 ≤ τ2 < κ2 →∃τ1 (0 ≤ τ1 ≤ κ1 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

(1) ϕ −→ true | ϕ(∅) ∨ ϕ(2) ϕ(V ) −→ γ(V ) | ∃x (0 ≤ x ∧ ψ(V ∪ {x}) ∧ ϕ(V ∪ {x}))

(3) ψ(V ∪{y}) −→ true | ∀x (0 ≤ x < y → ρ(V ∪{x , y}))∧ψ(V ∪{y})(4) ρ(V ∪ {y}) −→ ϕ(V ∪ {y}) | ∃x (0 ≤ x ≤ y ∧ ρ(V ∪ {x , y}))

7/10

Page 45: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

∃κ1 (κ1 ≥ 0 ∧∃κ2 (κ2 ≥ 0 ∧

∀τ1 (0 ≤ τ1 < κ1 →∃τ2 (0 ≤ τ2 ≤ κ2 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) = 1)) ∧

∀τ2 (0 ≤ τ2 < κ2 →∃τ1 (0 ≤ τ1 ≤ κ1 ∧ τ1 + τ2 < n ∧ A(τ1 + τ2) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

(1) ϕ −→ true | ϕ(∅) ∨ ϕ(2) ϕ(V ) −→ γ(V ) | ∃x (0 ≤ x ∧ ψ(V ∪ {x}) ∧ ϕ(V ∪ {x}))

(3) ψ(V ∪{y}) −→ true | ∀x (0 ≤ x < y → ρ(V ∪{x , y}))∧ψ(V ∪{y})(4) ρ(V ∪ {y}) −→ ϕ(V ∪ {y}) | ∃x (0 ≤ x ≤ y ∧ ρ(V ∪ {x , y}))

7/10

Page 46: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

(κ1 ≥ 0 ∧ κ1 ≤ 25 ∧(κ2 ≥ 0 ∧ κ2 ≤ 25 ∧

(0 ≤ 0 < κ1)→(0 ≤ τ2,0 ≤ κ2 ∧ 0 + τ2,0 < n ∧ A(0 + τ2,0) = 1)) ∧

· · ·(0 ≤ 24 < κ1)→

(0 ≤ τ2,24 ≤ κ2 ∧ 24 + τ2,24 < n ∧ A(24 + τ2,24) = 1)) ∧

(0 ≤ 0 < κ2)→(0 ≤ τ1,0 ≤ κ1 ∧ τ1,0 + 0 < n ∧ A(τ1,0 + 0) 6= 1)) ∧

· · ·(0 ≤ 24 < κ2)→

(0 ≤ τ1,24 ≤ κ1 ∧ τ1,24 + 24 < n ∧ A(τ1,24 + 24) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

8/10

Page 47: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

(κ1 ≥ 0 ∧ κ1 ≤ 25 ∧(κ2 ≥ 0 ∧ κ2 ≤ 25 ∧

(0 ≤ 0 < κ1)→(0 ≤ τ2,0 ≤ κ2 ∧ 0 + τ2,0 < n ∧ A(0 + τ2,0) = 1)) ∧

· · ·(0 ≤ 24 < κ1)→

(0 ≤ τ2,24 ≤ κ2 ∧ 24 + τ2,24 < n ∧ A(24 + τ2,24) = 1)) ∧

(0 ≤ 0 < κ2)→(0 ≤ τ1,0 ≤ κ1 ∧ τ1,0 + 0 < n ∧ A(τ1,0 + 0) 6= 1)) ∧

· · ·(0 ≤ 24 < κ2)→

(0 ≤ τ1,24 ≤ κ1 ∧ τ1,24 + 24 < n ∧ A(τ1,24 + 24) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

8/10

Page 48: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Z3 performance

(κ1 ≥ 0 ∧ κ1 ≤ 25 ∧(κ2 ≥ 0 ∧ κ2 ≤ 25 ∧

(0 ≤ 0 < κ1)→(0 ≤ τ2,0 ≤ κ2 ∧ 0 + τ2,0 < n ∧ A(0 + τ2,0) = 1)) ∧

· · ·(0 ≤ 24 < κ1)→

(0 ≤ τ2,24 ≤ κ2 ∧ 24 + τ2,24 < n ∧ A(24 + τ2,24) = 1)) ∧

(0 ≤ 0 < κ2)→(0 ≤ τ1,0 ≤ κ1 ∧ τ1,0 + 0 < n ∧ A(τ1,0 + 0) 6= 1)) ∧

· · ·(0 ≤ 24 < κ2)→

(0 ≤ τ1,24 ≤ κ1 ∧ τ1,24 + 24 < n ∧ A(τ1,24 + 24) 6= 1)) ∧

κ1 + κ2 ≥ n ∧ κ1 > 12))

8/10

Page 49: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Experimental Results

APCTest Pex Total Build Full QF

Hello 5.257 0.614 0.091 0.433 0.09HW 25.05 1.608 0.400 0.998 0.21

HWM fail 11.00 7.338 2.748 0.92MatrIR 95.00 1.435 0.105 1.330 -

WinDriver 35.53 0.382 0.089 0.143 0.150

- Intel R© CoreTM i7 CPU 920 @ 2.67GHz 2.67GHz, 6GB RAM, Windows 7 Professional 64-bit- MS Pex 0.92.50603.1, MS Moles 1.0.0.0, MS Visual Studio 2008, MS .NET Framework v3.5 SP1- MS Z3 SMT solver v3.2, and boost v1.42.0.

9/10

Page 50: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Conclusion

The heuristic computes a formula that is a necessary condition forreaching the target. We build the formula according to the followingtwo relaxations:

We relax an exact interleaving of paths through a loop.And we expresses variables as functions of path counters.

Computed formulae belong to a fragment of FOL expressible by asimple grammar. In this fragment each universally quantified variableis bound to an interval with a path counter as the upper bound.

Z3 often performs purely on computed formulae, because ofquantifiers. But structure of formulae allows to generate boundedquantifier free formulae, where Z3 performs very well.

We showed that results of the heuristic can be easily and directly usedin tools based on either original symbolic execution or DARTalgorithm. And experimental results show a potential to improveperformance of such tools.

10/10

Page 51: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Conclusion

The heuristic computes a formula that is a necessary condition forreaching the target. We build the formula according to the followingtwo relaxations:

We relax an exact interleaving of paths through a loop.And we expresses variables as functions of path counters.

Computed formulae belong to a fragment of FOL expressible by asimple grammar. In this fragment each universally quantified variableis bound to an interval with a path counter as the upper bound.

Z3 often performs purely on computed formulae, because ofquantifiers. But structure of formulae allows to generate boundedquantifier free formulae, where Z3 performs very well.

We showed that results of the heuristic can be easily and directly usedin tools based on either original symbolic execution or DARTalgorithm. And experimental results show a potential to improveperformance of such tools.

10/10

Page 52: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Conclusion

The heuristic computes a formula that is a necessary condition forreaching the target. We build the formula according to the followingtwo relaxations:

We relax an exact interleaving of paths through a loop.And we expresses variables as functions of path counters.

Computed formulae belong to a fragment of FOL expressible by asimple grammar. In this fragment each universally quantified variableis bound to an interval with a path counter as the upper bound.

Z3 often performs purely on computed formulae, because ofquantifiers. But structure of formulae allows to generate boundedquantifier free formulae, where Z3 performs very well.

We showed that results of the heuristic can be easily and directly usedin tools based on either original symbolic execution or DARTalgorithm. And experimental results show a potential to improveperformance of such tools.

10/10

Page 53: Overapproximating Program Paths using FOL Formula€¦Overapproximating Program Paths using FOL Formula Jan Strej cek and Marek Trt k 1/10

Conclusion

The heuristic computes a formula that is a necessary condition forreaching the target. We build the formula according to the followingtwo relaxations:

We relax an exact interleaving of paths through a loop.And we expresses variables as functions of path counters.

Computed formulae belong to a fragment of FOL expressible by asimple grammar. In this fragment each universally quantified variableis bound to an interval with a path counter as the upper bound.

Z3 often performs purely on computed formulae, because ofquantifiers. But structure of formulae allows to generate boundedquantifier free formulae, where Z3 performs very well.

We showed that results of the heuristic can be easily and directly usedin tools based on either original symbolic execution or DARTalgorithm. And experimental results show a potential to improveperformance of such tools.

10/10


First-Order Logic Chapter 8. Outline Why FOL? Syntax and semantics of FOL Using FOL Wumpus world in FOL Knowledge engineering in FOL

Fol - Editex (8)

Gender FoL

Introduction to SMT - SAT/SMT Summer School 2014satsmt2014.forsyte.at/files/2014/07/SMT-introduction.pdf · Introduction to SMT Alberto Griggio ... (quantifier-free) FOL formula and

pasta fol...doc

Lec13 Fol Inference

FOL Salina

Miscellaneous FOL Examplesisabelle.in.tum.de/dist/library/FOL/FOL-ex/document.pdf · Miscellaneous FOL Examples June 9, 2019 Contents 1 Natural numbers2 2 Examples for the manual

FOL FD.docx

Inference in FOL

Fol wales 2014

First-Order Logic (FOL) part 2 · Examples of FOL in use •Semantics of W3C’s Semantic Webstack (RDF, RDFS, OWL) is defined in FOL •OWLFull is equivalent to FOL •Other OWL

First Order Logic Semantics - University Of Illinoisreason.cs.uiuc.edu/cs498ea/FOL part 2.pdf · First Order Logic Semantics FOL Models What are FOL Models? FOL Model Example Remember

MTA MTC CONTROL POWER TRANSFORMERS - Eatonpub/@electrical/documents/conte… · Use the fol-lowing formula: NOTE: Transformer Selection Inrush VA also can be determined by add-ing

Glosario FOL

Fol Feb 2015

Warm-up: FOL # ?

Fol Brassmasters

Alternative FOL

OWL & FOL COMP62342 - University of Manchesterstudentnet.cs.manchester.ac.uk/.../slides/Week3-OWL-FOL-Patterns.pdf · OWL & FOL COMP62342 ... 3 So far, we have • looked at operational

hanadayori-Map fol

The Spiritual Ideals of Hinduism’s Two Noble Paths of … · been a choice of paths to fol-low—grihastha or sannyasa, family or monk. Unfortunately, in modern Hinduism the distinction

Artificial Intelligence First-Order Logic (FOL). Outline of this Chapter The need for FOL? What is a FOL? Syntax and semantics of FOL Using FOL

(FOl~tD) - Wa

CATALOGO porta folletos CORsolucionplastica.com/a5.pdfTRIPTICO 1/4 CARTA ½ CARTA 1 CARTA REVISTA PERIODICO FOL 13V FOL 14V FOL 15V FOL 16V FOL 17V FOL 18V-----FOL 14H FOL 15H FOL

Fol- folleto

London, British Library Add. 29987 Fol 55v to Fol 63v

Resolution in FOL

PATHS TO ADEQUACY: ACCELERATING SCHOOL FUNDING EQUITY · 2019. 5. 8. · PATHS TO ADEQUACY: ACCELERATING SCHOOL FUNDING EQUITY The Evidence-Based Funding (EBF) Formula of 2017 lays

Fol TEMA04

Undecidability Fol

COMBINED COURT BARON RECORDS FOR LAWKLAND ...d1biszitk051fy.cloudfront.net/wp-content/uploads/2017/08/...fol 165 12 Jun 1684 fol 165 27 Sep 1684 fol 166 18 may 1685 fol 168 22 Oct

Fol di eng_businessplan

fol jan2015001

Lecture 8: First Order Logic Heshaam Faili [email protected] University of Tehran Motivation for First Order Logic (FOL) FOL syntax Quantifiers FOL semantics