Download - SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India
![Page 1: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/1.jpg)
SLAM internals
Sriram K. Rajamani
Rigorous Software Engineering
Microsoft Research, India
![Page 2: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/2.jpg)
C-Types ::= void | bool | int | ref
Expressions e ::= c | x | e1 op e2 | &x | *x
LExpression l ::= x | *x
Declaration d ::= x1,x2 ,…,xn
Statements s ::= skip | goto L1,L2 …Ln | L: s
| assume(e)
| l = e
| l = f (e1 ,e2 ,…,en )
| return x
| s1 ; s2 ;… ; sn
Procedures p ::= f (x1: 1,x2 : 2,…,xn : n )
Program g ::= d1 d2 … dn p1 p2 … pn
![Page 3: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/3.jpg)
C--Types ::= void | bool | int
Expressions e ::= c | x | e1 op e2
LExpression l ::= x
Declaration d ::= x1,x2 ,…,xn
Statements s ::= skip | goto L1,L2 …Ln | L: s
| assume(e)
| l = e
| f (e1 ,e2 ,…,en )
| return
| s1 ; s2 ;… ; sn
Procedures p ::= f (x1: 1,x2 : 2,…,xn : n ) d s
Program g ::= d1 d2 … dn p1 p2 … pn
![Page 4: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/4.jpg)
BPTypes ::= void | bool
Expressions e ::= c | x | e1 op e2
LExpression l ::= x
Declaration d ::= x1,x2 ,…,xn
Statements s ::= skip | goto L1,L2 …Ln | L: s
| assume(e)
| l = e
| f (e1 ,e2 ,…,en )
| return
| s1 ; s2 ;… ; sn
Procedures p ::= f (x1: 1,x2 : 2,…,xn : n ) d s
Program g ::= d1 d2 … dn p1 p2 … pn
![Page 5: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/5.jpg)
Syntactic sugar
if (e) { S1;} else { S2;}S3;
goto L1, L2;
L1: assume(e); S1; goto L3;
L2: assume(!e); S2; goto L3;
L3: S3;
![Page 6: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/6.jpg)
Example, in C
void cmp (int a , int b) { if (a == b) g = 0; else g = 1;}
int g;
main(int x, int y){
cmp(x, y);
if (!g) { if (x != y) assert(0); } }
![Page 7: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/7.jpg)
void cmp(int a , int b) { goto L1, L2; L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Example, in C--
![Page 8: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/8.jpg)
c2bp: Predicate Abstraction for C Programs
Given• P : a C program• F = {e1,...,en}
– each ei a pure boolean expression– each ei represents set of states for which ei is true
Produce a boolean program B(P,F)• same control-flow structure as P• boolean vars {b1,...,bn} to match {e1,...,en}• properties true of B(P,F) are true of P
![Page 9: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/9.jpg)
Assumptions
Given• P : a C program• F = {e1,...,en}
– each ei a pure boolean expression– each ei represents set of states for which ei is true
• Assume: each ei uses either:– only globals (global predicate)– local variables from some procedure (local predicate for that
procedure)
• Mixed predicates:– predicates using both local variables and global variables– complicate “return” processing– covered in Step 2
![Page 10: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/10.jpg)
C2bp Algorithm
• Performs modular abstraction– abstracts each procedure in isolation
• Within each procedure, abstracts each statement in isolation– no control-flow analysis– no need for loop invariants
![Page 11: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/11.jpg)
void cmp (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Preds: {x==y}
{g==0}
{a==b}
![Page 12: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/12.jpg)
void cmp (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
decl {g==0} ;
main( {x==y} ) {
}
void cmp ( {a==b} ) {
}
Preds: {x==y}
{g==0}
{a==b}
![Page 13: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/13.jpg)
void equal (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
decl {g==0} ;
main( {x==y} ) {
cmp( {x==y} );
assume( {g==0} ); assume( !{x==y} ); assert(0); }
void cmp ( {a==b} ) { goto L1, L2; L1: assume( {a==b} ); {g==0} = T; return;
L2: assume( !{a==b} ); {g==0} = F; return;}
Preds: {x==y}
{g==0}
{a==b}
![Page 14: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/14.jpg)
C--Types ::= void | bool | int
Expressions e ::= c | x | e1 op e2
LExpression l ::= x
Declaration d ::= x1,x2 ,…,xn
Statements s ::= skip | goto L1,L2 …Ln | L: s
| assume(e)
| l = e
| f (e1 ,e2 ,…,en )
| return
| s1 ; s2 ;… ; sn
Procedures p ::= f (x1: 1,x2 : 2,…,xn : n )
Program g ::= d1 d2 … dn p1 p2 … pn
![Page 15: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/15.jpg)
Abstracting Assignments
Suppose you are given an assignment s
• if ImpliesF(WP(s, ei)) is true before s then– ei is true after s
• if ImpliesF(WP(s, !ei)) is true before s then– ei is false after s
{ei} = ImpliesF(WP(s, ei)) ? true :
ImpliesF(WP(s, !ei)) ? false : *;
![Page 16: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/16.jpg)
Abstracting Expressions via F
• F = { e1,...,en }
• ImpliesF(e)
– best boolean function over F that implies e
• ImpliedByF(e)
– best boolean function over F implied by e
– ImpliedByF(e) = !ImpliesF(!e)
![Page 17: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/17.jpg)
ImpliesF(e) and ImpliedByF(e)
e
ImpliesF(e)
ImpliedByF(e)
![Page 18: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/18.jpg)
Computing ImpliesF(e) • F = { e1,...,en }
• minterm m = d1 && ... && dn
– where di = ei or di = !ei
• ImpliesF(e) – disjunction of all minterms that imply e
• Naïve approach– generate all 2n possible minterms– for each minterm m, use decision procedure to check validity of each
implication me
• Many optimizations possible
![Page 19: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/19.jpg)
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b = true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;
}} while (nPackets != nPacketsOld); !b
KeReleaseSpinLock();
ExampleAdd new predicateto boolean program
(c2bp)b : (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
![Page 20: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/20.jpg)
Assignment Example
Statement in P: Predicates in F:
y = y+1; {x==y}
Weakest Precondition:WP(y=y+1, x==y) = x==y+1
ImpliesF( x==y+1 ) = false
ImpliesF( x!=y+1 ) = x==y
Abstraction of assignment in B:{x==y} = {x==y} ? false : *;
![Page 21: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/21.jpg)
Absracting Assumes
• WP( assume(e) , Q) = eQ
• assume(e) is abstracted to: assume( ImpliedByF(e) )
• Example:F = {x==2, x<5}assume(x < 2) is abstracted to:
assume( {x<5} && !{x==2} )
![Page 22: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/22.jpg)
Abstracting Procedures
• Each predicate in F is annotated as being either global or local to a particular procedure
• Procedures abstracted in two passes:– a signature is produced for each procedure in
isolation– procedure calls are abstracted given the
callees’ signatures
![Page 23: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/23.jpg)
Abstracting a procedure call
• Procedure call– a sequence of assignments from actuals to formals– see assignment abstraction
• Procedure return– NOP for C-- with assumption that all predicates
mention either only globals or only locals– with pointers and with mixed predicates:
• Most complicated part of c2bp• Covered in Step 2
![Page 24: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/24.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
decl {g==0} ;
main( {x==y} ) {
cmp( {x==y} );
assume( {g==0} ); assume( !{x==y} ); assert(0); }
void cmp ( {a==b} ) {Goto L1, L2 L1: assume( {a==b} ); {g==0} = T; return;
L2: assume( !{a==b} ); {g==0} = F; return;}
{x==y}
{g==0}
{a==b}
![Page 25: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/25.jpg)
Precision loss during predicate abstraction
• For program P and F = {e1,...,en}, there exist two “ideal” abstractions:– Boolean(P,F) : most precise abstraction– Cartesian(P,F) : less precise abstraction, where each boolean variable
is updated independently
• Theory:– with an “ideal” theorem prover, c2bp can compute Cartesian(P,F)
• Practice:– c2bp computes a less precise abstraction than Cartesian(P,F)– we use Das/Dill’s technique to incrementally improve precision – with an “ideal” theorem prover, the combination of c2bp + Das/Dill can
compute Boolean(P,F)
![Page 26: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/26.jpg)
Cartesian abstractionF = { (x!=5), (y<5), (y>5)}
Statement: y = x
Abstract statement in the boolean program:{y < 5} = {x != 5} ? * : false{y > 5} = {x != 5} ? * : false
Suppose {x != 5} is true before the assignmentThen, only one of {y <5} or {y > 5} can be true after the assignment
This correlation is lost in cartesian abstraction
![Page 27: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/27.jpg)
prog. P’prog. P
SLIC rule
The SLAM Process
boolean program
pathpredicates
slic
c2bp
bebop
newton
![Page 28: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/28.jpg)
Bebop
• Model checker for boolean programs
• Based on CFL reachability
• Explicit representation of CFG
• Implicit representation of path edges and summary edges
• Generation of hierarchical error traces
![Page 29: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/29.jpg)
Domains
g Globall Localf Frames Stack = Frame*State = Global X Local X Stack
Transitions:T (Global X Local) X ( Global X Local)T+ Local X (Local X Frame)T- (Local X Frame) X Local
![Page 30: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/30.jpg)
Transition Relation
STEPT (g, l, g’, l’)
________________(g,l,s) (g’,l’, s)
PUSHT+(l, l’, f)
__________________(g,l,s) (g’,l’, s.f)
POPT-(l, f, l’’)
_______________________(g,l,s.f) (g’,l’, s)
g Globall Localf Frames Stack = Frame*State = Global X Local X Stack
Transitions:T (Global X Local) X ( Global X Local)T+ Local X (Local X Frame)T- (Local X Frame) X Local
![Page 31: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/31.jpg)
Naïve model checking
STEPT (g, l, g’, l’)
________________(g,l,s) (g’,l’, s)
PUSHT+(l, l’, f)
__________________(g,l,s) (g’,l’, s.f)
POPT-(l, f, l’’)
_______________________(g,l,s.f) (g’,l’, s)
Start with initial state: (g0,l0,)
Find all the states s such that(g0,l0,) * s
Even if Globals and Locals are finite, the set of reachable states could be infinite since the stack can grow infinite
No guarantee for termination
Still, assertion checking is decidable
Need to use a different algorithm (CFL reachability)
![Page 32: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/32.jpg)
CFL reachability
CFL-STEPP(g1, l1, g2, l2) T(g2, l2, g3, l3)
________________P(g1, l1, g3, l3)
CFL-PUSHP(g1, l1, g2, l2) T+(l2, l3 ,f,)
__________________P(g2, l3, g2, l3)
CFL-SUMP(g1, l1, g2, l2) T-(l2, f , l3,)
__________________Sum(g1, l1, f, g2, l3)
CFL-POPP(g1, l1, g2, l2) T+(l2, l3 ,f,) Sum( g2, l3, f , g3, l4 )
_______________________P(g1, l1, g3, l4)
P (Global X Local) X ( Global X Local)Sum (Global X Local) X Frame X ( Global X Local)
CFL-INIT_______________
P(g0, l0, g0, l0)
[Sharir-Pnueli 81] [Reps-Sagiv-Horwitz 95]
![Page 33: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/33.jpg)
decl g;void main()decl u,v; [1] u := !v;
[2] equal(u,v);
[3] if (g) then R: skip;
fi [4] return;
void equal(a, b)
[5] if (a = b) then [6] g := 1; else [7] g := 0; fi [8] return;
[1] [1] [1]
[2] [2]
u!=v
g=0
[5] [5]
[7]
[3]
[4]
[1]
[8]
[7]
u=v
g=0
u!=v
g=1
u=v
g=1
![Page 34: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/34.jpg)
Symbolic CFL reachability Partition path edges by their “target”
PE(v) = { <d1,d2> | <entry,d1> <v,d2> }
What is <d1,d2> for boolean programs? A bit-vector!
What is PE(v)? A set of bit-vectors
Use a BDD (attached to v) to represent PE(v)
![Page 35: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/35.jpg)
decl g;void main()decl u,v; [1] u := !v;
[2] equal(u,v);
[3] if (g) then R: skip;
fi [4] return;
void equal(a, b)
[5] if (a = b) then [6] g := 1; else [7] g := 0; fi [8] return;
[1] [1] [1]
[2] [2]
u!=v
g=0
[5] [5]
[7]
[3]
[4]
[1]
[8]
[7]
u=v
g=0
u!=v
g=1
u=v
g=1
g=g’& u=u’& v=v’
g=g’& v!=u’ & v=v’
g=g’ & a=a’ & b=b’ & a!=b
g’=0 & v’!=u’ & v=v’
g’=0 & v!=u’ & v=v’
g=g’& a=a’ & b=b’& a!=b
g’=0 & a=a’ & b=b’& a!=b
![Page 36: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/36.jpg)
Bebop: summary
Explicit representation of CFG Implicit representation of path edges and
summary edges Generation of hierarchical error traces
Complexity: O(E * 2O(N)
) E is the size of the CFG N is the max. number of variables in scope
![Page 37: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/37.jpg)
prog. P’prog. P
SLIC rule
The SLAM Process
boolean program
pathpredicates
slic
c2bp
bebop
newton
![Page 38: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/38.jpg)
Type 1: False error trace due to approximate predicate abstraction
![Page 39: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/39.jpg)
Type 2: False error trace due to insufficient predicates
![Page 40: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/40.jpg)
prog. P’prog. P
SLIC rule
The SLAM Process (more accurate)
boolean program
pathpredicates
slic
c2bp
bebop
newton
![Page 41: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/41.jpg)
Type 1: False error trace due to approximate predicate abstraction
![Page 42: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/42.jpg)
Type 1: False error trace due to approximate predicate abstraction
With this technique we can be as preciseas boolean abstraction(rather than cartesian)
![Page 43: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/43.jpg)
Type 2: False error trace due to insufficient predicates
![Page 44: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/44.jpg)
Type 2: False error trace due to insufficient predicates
![Page 45: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/45.jpg)
prog. P’prog. P
SLIC rule
The SLAM Process (more accurate)
boolean program
pathpredicates
slic
c2bp
bebop
newton
![Page 46: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/46.jpg)
Newton
• Given an error path p in boolean program B– is p a feasible path of the corresponding C
program?• Yes: found an error• No: find predicates that explain the infeasibility
– uses the same interfaces to the theorem provers as c2bp.
![Page 47: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/47.jpg)
Newton
• Execute path symbolically
• Check conditions for inconsistency using theorem prover (satisfiability)
• After detecting inconsistency:– minimize inconsistent conditions– traverse dependencies– obtain predicates
![Page 48: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/48.jpg)
do {KeAcquireSpinLock();
if(*){
KeReleaseSpinLock();
}} while (*);
KeReleaseSpinLock();
ExampleModel checking boolean program
(bebop)
U
L
L
L
L
U
L
U
U
U
E
![Page 49: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/49.jpg)
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
ExampleIs error path feasible
in C program?(newton)
U
L
L
L
L
U
L
U
U
U
E
![Page 50: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/50.jpg)
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b = true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;
}} while (nPackets != nPacketsOld); !b
KeReleaseSpinLock();
ExampleAdd new predicateto boolean program
(c2bp)b : (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
![Page 51: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/51.jpg)
Symbolic simulation for C--
Domains– variables: names in the program– values: constants + symbols
State of the simulator has 3 components:– store: map from variables to values– conditions: predicates over symbols– history: past valuations of the store
![Page 52: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/52.jpg)
Symbolic simulation AlgorithmInput: path p
For each statement s in p domatch s with
Assign(x,e):let val = Eval(e) inif (Store[x]) is defined then
History[x] := History[x] Store[x]Store[x] := val
Assume(e):let val = Eval(e) in
Cond := Cond and vallet result = CheckConsistency(Cond) inif (result == “inconsistent”) then
GenerateInconsistentPredicates()End
Say “Path p is feasible”
![Page 53: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/53.jpg)
Symbolic Simulation: Caveats
• Procedure calls– add a stack to the simulator– push and pop stack frames on calls and returns– implement mappings to keep values “in scope” at
calls and returns
• Dependencies– for each condition or store, keep track of which values
where used to generate this value– traverse dependency during predicate generation
![Page 54: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/54.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
![Page 55: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/55.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Global:
main:
(1) x: X
(2) y: Y
Conditions:
![Page 56: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/56.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Global:
main:
(1) x: X
(2) y: Y
cmp:
(3) a: A
(4) b: B
Conditions:
Map:
X A
Y B
![Page 57: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/57.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Global:
(6) g: 0
main:
(1) x: X
(2) y: Y
cmp:
(3) a: A
(4) b: B
Conditions:
(5) (A == B) [3, 4]Map:
X A
Y B
![Page 58: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/58.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Global:
(6) g: 0
main:
(1) x: X
(2) y: Y
cmp:
(3) a: A
(4) b: B
Conditions:
(5) (A == B) [3, 4]
(6) (X == Y) [5]
Map:
X A
Y B
![Page 59: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/59.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Global:
(6) g: 0
main:
(1) x: X
(2) y: Y
cmp:
(3) a: A
(4) b: B
Conditions:
(5) (A == B) [3, 4]
(6) (X == Y) [5]
(7) (X != Y) [1, 2]
Contradictory!
![Page 60: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/60.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Global:
(6) g: 0
main:
(1) x: X
(2) y: Y
cmp:
(3) a: A
(4) b: B
Conditions:
(5) (A == B) [3, 4]
(6) (X == Y) [5]
(7) (X != Y) [1, 2]
Contradictory!
![Page 61: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/61.jpg)
void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;
L2: assume(a!=b); g = 1; return;}
int g;
main(int x, int y){
cmp(x, y);
assume(!g); assume(x != y) assert(0); }
Predicates after simplification:
{ x == y, a == b }
![Page 62: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/62.jpg)
Refinement Using Interpolants
Given formulas - , + s.t. - + is unsatisfiable
An interpolant for - , + is a formula s.t.1. - implies 2. has symbols common to -, + 3. + is unsatisfiable
computable from proof of unsat. of - +
[Henzinger-Jhala-Majumdar-McMillan POPL 04] give a way to generate predicates for refinement from infeasible traces using interpolants
![Page 63: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/63.jpg)
Interpolants: Example (1)
pc1: x = ctr
pc2: ctr = ctr + 1
pc3: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace Trace Formula
•Cut + Interpolate at each point
•Pred. Map: pci Interpolant from cut i
-
+Interpolate x1 = ctr0
Predicate Map pc2: x= ctr
x1 = ctr0
ctr1 = ctr0 + 1
y1 = ctr1
x1 = i0 – 1
y1 i0
![Page 64: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/64.jpg)
pc1: x = ctr
pc2: ctr = ctr + 1
pc3: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace Trace Formula
•Cut + Interpolate at each point
•Pred. Map: pci Interpolant from cut i
-
+Interpolate
Predicate Map pc2: x = ctrpc3: x= ctr-1
x1= ctr1-1
x1 = ctr0
ctr1 = ctr0 + 1
y1 = ctr1
x1 = i0 – 1
y1 i0
Interpolants: Example (2)
![Page 65: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/65.jpg)
-
+Interpolate
pc1: x = ctr
pc2: ctr = ctr + 1
pc3: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace Trace Formula
y1 = x1 + 1
x1 = ctr0
ctr1 = ctr0 + 1
y1 = ctr1
x1 = i0 – 1
y1 i0
Predicate Map pc2: x = ctrpc3: x= ctr-1pc3: y= x+1
•Cut + Interpolate at each point
•Pred. Map: pci Interpolant from cut i
Interpolants: Example (3)
![Page 66: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/66.jpg)
pc1: x = ctr
pc2: ctr = ctr + 1
pc3: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace Trace Formula
•Cut + Interpolate at each point
•Pred. Map: pci Interpolant from cut i
-
+Interpolate
Predicate Map pc2: x = ctrpc3: x = ctr-1pc4: y = x+1pc5: y= i
y1= i0
x1 = ctr0
ctr1 = ctr0 + 1
y1 = ctr1
x1 = i0 – 1
y1 i0
Interpolants: Example (4)
![Page 67: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/67.jpg)
pc1: x = ctr
pc2: ctr = ctr + 1
pc3: y = ctr
pc4: assume(x = i-1)
pc5: assume(y i)
Trace Trace Formula
Predicate Map pc2: x = ctrpc3: x = ctr-1pc4: y = x+1pc5: y = i
Theorem: Predicate map makes trace abstractly infeasible
x1 = ctr0
ctr1 = ctr0 + 1
y1 = ctr1
x1 = i0 – 1
y1 i0
Interpolants: Example (5)
![Page 68: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/68.jpg)
Homework
Weakest Precondition:WP( *p=3 , x==5 ) = ?? What if *p and x alias?
Statement in P: Predicates in E:
*p = 3 {x==5}
![Page 69: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/69.jpg)
Advanced Topics: Pointers
![Page 70: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/70.jpg)
prog. P’prog. P
SLIC rule
So far..
boolean program
pathpredicates
slic
c2bp
bebop
newton
![Page 71: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/71.jpg)
C--Types ::= void | bool | int
Expressions e ::= c | x | e1 op e2
LExpression l ::= x
Declaration d ::= x1,x2 ,…,xn
Statements s ::= skip | goto L1,L2 …Ln | L: s
| assume(e)
| l = e
| f (e1 ,e2 ,…,en )
| return
| s1 ; s2 ;… ; sn
Procedures p ::= f (x1: 1,x2 : 2,…,xn : n ) d s
Program g ::= d1 d2 … dn p1 p2 … pn
![Page 72: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/72.jpg)
C-Types ::= void | bool | int | ref
Expressions e ::= c | x | e1 op e2 | &x | *x
LExpression l ::= x | *x
Declaration d ::= x1,x2 ,…,xn
Statements s ::= skip | goto L1,L2 …Ln | L: s
| assume(e)
| l = e
| l = f (e1 ,e2 ,…,en )
| return x
| s1 ; s2 ;… ; sn
Procedures p ::= f (x1: 1,x2 : 2,…,xn : n ) d s
Program g ::= d1 d2 … dn p1 p2 … pn
![Page 73: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/73.jpg)
Abstracting Procedure Returns
• Let a be an actual at call-site P(…)– pre(a) = the value of a before transition to P
• Let f be a formal of a procedure P– pre(f) = the value of f upon entry to P
![Page 74: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/74.jpg)
int R (int f) {
int r = f+1;
f = 0;
return r;
}
WP(x=r, x==2) = r==2
Q() {
int x = 1;
x = R(x)
}
pre(f) == x
x = r
{x==1}
{x==2}
{f==pre(f)}
{r==pre(f)+1}
predicate call/return relation call/return assign
{x==2} = s & {x==1};
}
bool R ( {f==pre(f)} ) {
{r==pre(f)+1} = {f==pre(f)};
{f==pre(f)} = *;
return {r==pre(f)+1};
}
WP(f=x, f==pre(f) ) = x==pre(f)
f = x
x==pre(f) is true at the call to R
pre(f)==x and x==1 and r==pre(f)+1 implies r==2
Q() { {x==1},{x==2} = T,F;
s = R(T);
{x==1} s
![Page 75: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/75.jpg)
int R (int f) {
int r = f+1;
f = 0;
return r;
}
WP(x=r, x==2) = r==2
Q() {
int x = 1;
x = R(x)
}
pre(f) == x
x = r
{x==1}
{x==2}
{f==pre(f)}
{r==pre(f)+1}
predicate call/return relation call/return assign
bool R ( {f==pre(f)} ) {
{r==pre(f)+1} = {f==pre(f)};
{f==pre(f)} = *;
return {r==pre(f)+1};
}
WP(f=x, f==pre(f) ) = x==pre(f)
f = x
x==pre(f) is true at the call to R
pre(f)==x and x==1 and r==pre(f)+1 implies r==2
Q() { {x==1},{x==2} = T,F;
s = R(T);
{x==1} s
{x==1}, {x==2} = *, s & {x==1};
}
![Page 76: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/76.jpg)
Pointers and SLAM
• With pointers, C supports call by reference– Strictly speaking, C supports only call by value– With pointers and the address-of operator, one can
simulate call-by-reference
• Boolean programs support only call-by-value-result– SLAM mimics call-by-reference with call-by-value-result
• Extra complications:– address operator (&) in C– multiple levels of pointer dereference in C
![Page 77: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/77.jpg)
What changes with pointers?
• C2bp– abstracting assignments– abstracting procedure returns
• Newton– simulation needs to handle pointer accesses– need to copy local heap across scopes to match Bebop’s
semantics– need to refine imprecise alias analysis using predicates
• Bebop– remains unchanged!
![Page 78: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/78.jpg)
Recall : Abstracting Assignments
Suppose you are given an assignment s
• if ImpliesF(WP(s, ei)) is true before s then– ei is true after s
• if ImpliesF(WP(s, !ei)) is true before s then– ei is false after s
{ei} = ImpliesF(WP(s, ei)) ? true :
ImpliesF(WP(s, !ei)) ? false : *;
![Page 79: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/79.jpg)
Assignments + Pointers
Weakest Precondition:WP( *p=3 , x==5 ) = x==5 What if *p and x alias?
We use Das’s pointer analysis [PLDI 2000] to prune disjuncts representing infeasible alias scenarios.
Correct Weakest Precondition:(p==&x and 3==5) or (p!=&x and x==5)
Statement in P: Predicates in E:
*p = 3 {x==5}
![Page 80: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/80.jpg)
Abstracting Procedure Return
• Need to account for – lhs of procedure call– mixed predicates– side-effects of procedure
• Boolean programs support only call-by-value-result– C2bp models all side-effects using return
processing
![Page 81: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/81.jpg)
Extending Pre-states
• Suppose formal parameter is a pointer– eg. P(int *f)
• pre( *f )– value of *f upon entry to P– can’t change during P
• * pre( f )– value of dereference of pre( f )– can change during P
![Page 82: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/82.jpg)
int R (int *a) {
*a = *a+1;
}
Q() {
int x = 1;
R(&x);
}
pre(a) = &x
{x==1}
{x==2}
predicate call/return relation call/return assign
{x==2} = s & {x==1};
}
bool R ( {a==pre(a)}, {*pre(a)==pre(*a)} ) {
{*pre(a)==pre(*a)+1} = {*pre(a)==pre(*a)} ;
return {*pre(a)==pre(*a)+1};
}
a = &x
Q() { {x==1},{x==2} = T,F;
s = R(T,T);
{a==pre(a)} {*pre(a)==pre(*a)}
{*pre(a)=pre(*a)+1}
pre(x)==1 and pre(*a)==pre(x) and *pre(a)==pre(*a)+1 and pre(a)==&x implies x==2
{x==1}
s
![Page 83: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/83.jpg)
Newton: what changes with pointers?
• Simulation needs to handle pointer accesses
• Need to copy local heap across scopes to match Bebop’s semantics
![Page 84: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/84.jpg)
void foo (int *a) {assume(*a > 5);assert(0);
}
main(int *x){
assume(*x < 5); foo(x);
}
![Page 85: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/85.jpg)
Contradictory!
void foo (int *a) {assume(*a > 5);assert(0);
}
main(int *x){
assume(*x < 5); foo(x);
}
main:
(1) x: X
(2) *X: Y [1]
foo:
(3) a: A
(4) *A: B [3]
Conditions:
(5) (Y< 5) [1,2]
(6) (B < 5) [3,4,5]
(7) (B > 5) [3,4]
Predicates after simplification:
*x < 5 , *a < 5, *a > 5
![Page 86: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/86.jpg)
prog. P’prog. P
SLIC rule
Non progress..
boolean program
pathpredicates
slic
c2bp
bebop
newton
![Page 87: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/87.jpg)
Non-progress due to alias analysis imprecision
x = 0;y = 0;p = &y
*p = *p + 1;
assume(x!=0);
p = &x;
{x==0}
{x==0} = T;skip;skip;
{x==0} = *;
assume( !{x==0} );
skip;
Pts-to(p)=
{ &x, &y}
![Page 88: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/88.jpg)
x = 0;y = 0;p = &y
if (p == &x) x = x + 1;else y = y + 1;
assume(x!=0);
p = &x;
x = 0;y = 0;p = &y
*p = *p + 1;
assume(x!=0);
p = &x;
{x==0} = T;skip;skip;
{x==0} = *;
assume(!{x==0} );
skip;
Non-progress due to alias analysis imprecision
![Page 89: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/89.jpg)
Consider values in abstract trace
x = 0;y = 0;p = &y
*p = *p + 1;
assume(x!=0);
p = &x;
{x==0} = T;skip;skip;
{x==0} = *;
assume(!{x==0} );
skip;
{x==0} is true
{x==0} is false
INCONSISTENT
![Page 90: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/90.jpg)
Consider values in abstract trace
x = 0;y = 0;p = &y
*p = *p + 1;
assume(x!=0);
p = &x;
{x==0} = T;skip;skip;
{x==0} = *;
assume(!{x==0} );
skip;
WP(*p = *p +1, !(x==0) )
= ((p == &x) and !(x==-1)) or ((p != &x) and !(x==0))
(p!=&x) gets added as a predicate
![Page 91: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/91.jpg)
Generalization of refinement predicates
main(){ int x; x = 0; while(*) {
x++;}assert(x >= 0);}
Iterative refinement produces predicates:(x == 0),(x == 1),(x ==2) …
Need to generate (x >= 0) automatically!
Difficult to come up with general methods to do such generalizations
![Page 92: SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfd01a28abf838caac8d/html5/thumbnails/92.jpg)
Areas for future work
• Abstraction-refinement loop with richer models (than just booleans) for solving the progress problem with pointers
• Combination of over-approximation and under-approximation based methods to avoid refining in irrelevant places in the program