Path SlicingOutlineUse of Path SlicesExample of CFAControl Flow AutomataWeakest PreconditionsExample of PathsPaths and SlicesCompletenessSoundnessExamplePath Slice AlgorithmExperimental ResultsConclusionPath SlicingPresentation by Massimiliano MenariniRanjit Jhala and Rupak Majumdar, “Path Slicing” PLDI 05 (June 2005, Chicago, Illinois)OutlineUse of Path SlicesModel checking and counter examplesControl Flow Automata Weakest Preconditions Properties of Path SlicesCompletenessSoundnessPath Slice AlgorithmExperimental ResultsConclusionUse of Path SlicesModel checkingAllow for the exploration of the execution space of an application to find some errorReturn a counter example: an execution path form the start state to an error stateMotivation for using Path Slicing techniques The returned counter example can be very longFor example the paper presents an experiment where a property checked on gcc returned a 82,695 basic blocks counter exampleObtain understandable counter examplesWe are interested in only the operations that affect the reachability of the error state (potentially a fraction of the full counter example)Example of CFASourceEx() {0: if(a>0)1: x=1;2: c=0;3: for(i=1;i<1000;i++)4: c=c+f(i);5: if(a>0){6: if(x==0){ ERR: }} ... }CFA01233’456Err Exit[a>0][a≤0]x=1c=0i=1[i<1000][i≥1000]c=c+f(i)i++[a>0][a≤0][x==0]Control Flow AutomataIt is a CFG with operations on the edges and program counter on the vertexesFormallyOperations (Ops) of 2 typesAssignment: l:=eassume: assume(p)CFA Cf=(PCf, pc0, pcout, Ef, Vf)PCf is a set of locations (program counters)pc0PCf is the start locationpcoutPCf is the exit locationEf set of edges, Ef  PCf  Ops  PCf Vf set of variables (?)Weakest PreconditionsGiven a logical formula  over a set of variables X. represents all X-states where the values of X satisfy The weakest precondition (WP) of  with regard to the operation op  Ops (WP..op) is the set of states that can reach a state in  after executing op X={a}Ops={a=0, a=1} =[a==1]Therefore identifies {a=1}WP..(a=1)={all}WP..(a=0)={Ø}Example of PathsCFA01233’456Err Exit[a>0][a≤0]x=1c=0i=1[i<1000][i≥1000]c=c+f(i)i++[a>0][a≤0][x==0]Path to pc=601233’56[a>0]x=1c=0i=1[i≥1000][a>0]Trace[a>0]x=1c=0i=1[i≥1000][a>0]VariablesacixCannot execute: this is an unfeasible pathTo execute must be a>0 ()Paths and SlicesA path  from pc to pc’ is a sequence of edges of the CFA such that: the destination of one and the source of the next coincide, the source of the first edge is pc and the destination of the last is pc’A trace is the sequence of operations on the edges of a pathA path is feasible if there is some state that can execute itA state s can reach a location pc if there exist a path from pc0 to pc that can be executed by sA Path Slice ’ is a subsequence of a path Completeness’ is a complete slice of  (path from pc0 to an error location pc) if for every sWP.true.Tr.’ either:there exist a program path ’’ from pc0 to pc such that s can execute ’’, orS cannot reach pcoutTherefore if there is a complete slice to an error location and it is feasible (therefore executable for some state), we are guaranteed that for each state that can execute the slice there exist an executable path that reach the error locationSoundnessA path slice ’ of  is a sound slice if WP.true.(Tr.)  WP.true.(Tr.’)So a state that can execute the trace of a path can execute the trace if a sound slice of itExampleCFA01233’456Err Exit[a>0][a≤0]x=0c=0i=1[i<1000][i≥1000]c=c+f(i)i++[a>0][a≤0][x==0]Slice01233’56Err[a>0]x=0c=0i=1[i≥1000][a>0][x==0]4[i<1000]c=c+f(i)i++Slice01233’56Err[a>0]x=0c=0i=1[i≥1000][a>0][x==0]4[i<1000]c=c+f(i)i++Not Sound sliceThe path could execute in s={a>0} the slice only in s’={a>0, x=0}Complete and Sound SlicePath Slice AlgorithmBackward traversal of the CFAKeep 2 informationlvalues set L (the set of lives values)Step location pcs An edge is added to the slice ifIt assign one of the lvaluesIf there is a branch that can bypass the current stepIf there is a path from the current edge to the step edge that assign one of the lvaluesExperimental ResultsTested correctens of files handling in real programs (fcron, wuftpd, make, privoxy, ijpeg, openssh, gcc)In average the length of the Slice was 5% of the length of the original traceIn case of longer traces the slices where much shorter (0.1%)ExamplesShortest trace 47 operations: output 27 operations (57%)Longest trace 82,695 operations: output 43 operations (less that 0.1%)ConclusionPath Slicing is an interesting technique to reduce the size of a counter exampleAn linear algorithm that return a Sound and Complete path slice is providedImplemented in the Blast model checkerExperimental results on real programs proved the benefit of that approachLimitationsThe implementation use a depth first search for counter examples that returns very long tracesImprecise model of the heap creates problems in the verification of certain programsSlow implementation of WrBt and By functions used by the algorithm, don’t scale