Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
sav08:forward_symbolic_execution [2009/03/11 10:46] vkuncak |
sav08:forward_symbolic_execution [2009/03/11 14:35] vkuncak |
||
|---|---|---|---|
| Line 17: | Line 17: | ||
| === Exploiting Analogy with Execution === | === Exploiting Analogy with Execution === | ||
| - | Maintain symbolic state formula $R(x_0,x)$ in the following normal form: | + | Maintain symbolic state formula $R(x_0,y_0,x,y)$ in the following normal form: |
| \[ | \[ | ||
| x = e_x \land y = e_y \land P | x = e_x \land y = e_y \land P | ||
| Line 42: | Line 42: | ||
| Special case: if initial condition specifies values of variables, then we know which branch to enter. | Special case: if initial condition specifies values of variables, then we know which branch to enter. | ||
| + | |||
| ===== Symbolic Execution Rules ===== | ===== Symbolic Execution Rules ===== | ||
| Line 74: | Line 75: | ||
| assume(F) | assume(F) | ||
| change state: | change state: | ||
| - | P := P & F | + | P := P & F[x<-e_x, y<-e_y] |
| === Havoc === | === Havoc === | ||
| Line 137: | Line 138: | ||
| * Loop unrolling: replace loop( c ) with c[]c;c[]c;c;c for some number of times | * Loop unrolling: replace loop( c ) with c[]c;c[]c;c;c for some number of times | ||
| * Instantiating values: find a satisfying assignment for R, take value v of x in it and replace e_x with v (moves towards concrete execution) | * Instantiating values: find a satisfying assignment for R, take value v of x in it and replace e_x with v (moves towards concrete execution) | ||
| + | |||
| ===== Overaproximation ===== | ===== Overaproximation ===== | ||
| Line 146: | Line 148: | ||
| * maintain only linear or certain polynomial constraints - if actual constraints are more complex, keep only the polynomial constraints that are guaranteed to hold | * maintain only linear or certain polynomial constraints - if actual constraints are more complex, keep only the polynomial constraints that are guaranteed to hold | ||
| - | Why we approximate: we can obtain | + | Why we approximate we can obtain |
| - | * termination | + | * termination even for programs that have loops |
| - | * useful information (not exactly all information that we are interested in, depends on the approximation) | + | * useful information about the program (not exactly all information that we are interested in, depends on the approximation) |
| ===== References ===== | ===== References ===== | ||
| - | * [[http://doi.acm.org/10.1145/360248.360252|Symbolic execution and program testing]] by James C. King | + | * [[http://doi.acm.org/10.1145/360248.360252|Symbolic execution and program testing]] by James C. King ({{sav08:king76symbolicexecution.pdf|pdf}}) |
| * Lori Clarke and Debra Richardson: Symbolic Evaluation Methods for Program Analysis, in Program Flow Analysis: Theory and Applications, Prentice-Hall 1981. | * Lori Clarke and Debra Richardson: Symbolic Evaluation Methods for Program Analysis, in Program Flow Analysis: Theory and Applications, Prentice-Hall 1981. | ||
| * [[http://www.cs.utexas.edu/users/sandip/publications/symbolic-lpar/main.html|Verification Condition Generation via Theorem Proving]] | * [[http://www.cs.utexas.edu/users/sandip/publications/symbolic-lpar/main.html|Verification Condition Generation via Theorem Proving]] | ||
| * [[http://osl.cs.uiuc.edu/~ksen/cute/|CUTE Tool]] | * [[http://osl.cs.uiuc.edu/~ksen/cute/|CUTE Tool]] | ||