Dealing with complex constraints in symbolic execution

1. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Dealing with constraints in symbolic execution Bernhard Mallinger Programming Languages Seminar SS13 TU Wien June 11th, 2013 Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

2. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Outline 1 Constraints in Symbolic Execution 2 Optimisations Constraint independence Solution caching Incremental solving 3 Heuristic Approach Motivation CORAL 4 Conclusion Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

4. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Constraints in Symbolic Execution Constraints on variables are collected by analysing code: 1 i f (preproc) { 2 i f (extensive_preproc) { 3 // extensive preprocessing 4 } 5 } extensive preprocessing-block is reached iﬀ PC ∧ preproc ∧ extensive_preproc is satisﬁable ⇒ Unreachability test ⇒ Test case generator Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

5. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Solvers Depending on code, diﬀerent kinds solvers are eﬃcient Linear arithmetic Complex functions General, unstructured constraints . . . Tremendous speedup in recent years (SAT) Especially continuous functions still not solvable Constraint solving dominates runtime Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

7. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Constraint independence Constraint independence In the path condition, all constraints are combined ⇒ but not all related Separate logically independent groups 1 i f (preproc) { 2 // do preproc 3 } 4 // algo 5 i f (postproc) { 6 // do postproc 7 } PC ∧ preproc ∧ postproc PC ∧ preproc ∧ ¬postproc PC ∧ ¬preproc ∧ postproc PC ∧ ¬preproc ∧ ¬postproc Variables related if appear in same constraint ⇒ Reachability problem Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

10. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Solution caching Solution caching Multiple queries contain same independent groups of constraints ⇒ simply cache results More elaborate: exploit repetitions in path conditions: 1 i f (preproc) { 2 i f (extensive_preproc) { 3 // do extensive preprocessing 4 } 5 } PC ∧ preproc PC ∧ preproc ∧ extensive_preproc Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

11. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Solution caching Solution caching Constraint Solution C1 = {preproc} S1 = {preproc → 1} C2 = {preproc, ext_preproc} S2 = {preproc → 1, ext_preproc → 1} C3 = {preproc, ¬preproc} X C4 = {preproc, ¬preproc, postproc } X S2 is a solution to C1 due to C1 ⊆ C2 Since C3 is unsatisﬁable, so is C4 as C3 ⊆ C4 S2 often is an extension of S1 since C1 ⊆ C2 Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

15. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Incremental solving Incremental solving In queries generated in symbolic execution, often only the last predicates diﬀer 1 i f (postproc) { 2 i f (fancy_output) { 3 // print fancy statistics 4 } 5 } PC ∧ postproc PC ∧ postproc ∧ fancy_output Determine set of variables which are dependent of variables in last predicate, solve them and else reuse old solution Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

16. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Incremental solving Empirical results Figure: Performance with and without the solution cache and constraint independence optimisation in KLEE. Source: Cadar et al., 2008 Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

18. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Motivation Motivation Still many unsolvable path conditions Can’t search exhaustively, so guess smartly, improve guesses Reasonable way of “thinking”? Reinterpret decision problem as optimisation problem Minimise violations New precondition: Locality in solution space Works for all domains, given locality Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

19. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Motivation Metaheuristics Random initial solutions probably contain viable fragments Optimise given invalid solutions by local search Combine promising solutions Steer towards regions of high objective value Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

20. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion CORAL CORAL xtan(y) + z < x ∗ arctan(z) ∧ sin(y) + cos(y) + tan(y) ≥ x − z ∧ arctan(x) + arctan(y) > y Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

21. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion CORAL CORAL Focus on ﬂoating point computation Solves constraints by particle swarm optimisation (population based metaheuristic) Generates initial solutions randomly in range determined by interval solver “Solves all constraints that exact solvers manage and more” Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

22. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion CORAL CORAL: Stepwise Adaptive Weighting Solutions with even minimal constraint violations are still infeasible Avoiding local optima is critical Stepwise Adaptive Weighting (SAW) Change objective function dynamically during runtime Reward solutions that satisfy hard-to-solve constraints Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

23. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion CORAL CORAL: Stepwise Adaptive Weighting Solutions with even minimal constraint violations are still infeasible Avoiding local optima is critical Stepwise Adaptive Weighting (SAW) Change objective function dynamically during runtime Reward solutions that satisfy hard-to-solve constraints Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

25. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion Conclusion Constraint solving dominates runtime of symbolic execution Unsolvable constraints severely hinder symbolic execution Some optimisations: Constraint independence Solution caching Incremental solving Harder constraints can/have to be solved (meta-)heuristically Navigate reasonably, not exhaustively through search space Try to goal-orientedly optimise infeasible solutions Deal with local optima (e.g. by SAW) Bernhard Mallinger Programming Languages Seminar SS13 TU Wien Dealing with constraints in symbolic execution

Dealing with complex constraints in symbolic execution

More Related Content

Similar to Dealing with complex constraints in symbolic execution (20)

Recently uploaded (20)

Dealing with complex constraints in symbolic execution