Path Slicing
Presentation by Massimiliano Menarini
Ranjit Jhala and Rupak Majumdar, “Path Slicing” PLDI 05 (June 2005, Chicago, Illinois)
Outline

Use of Path Slices




Control Flow Automata
Weakest Preconditions
Properties of Path Slices





Model checking and counter examples
Completeness
Soundness
Path Slice Algorithm
Experimental Results
Conclusion
Use of Path Slices

Model checking



Allow for the exploration of the execution space of an
application to find some error
Return a counter example: an execution path form the
start state to an error state
Motivation for using Path Slicing techniques

The returned counter example can be very long


For example the paper presents an experiment where a
property checked on gcc returned a 82,695 basic blocks
counter example
Obtain understandable counter examples

We are interested in only the operations that affect the
reachability of the error state (potentially a fraction of the full
counter example)
Example of CFA
Source
Ex() {
0: if(a>0)
1: x=1;
2: c=0;
3: for(i=1;i<1000;i++)
4: c=c+f(i);
5: if(a>0){
6: if(x==0){
ERR: }}
...
}
CFA
[a>0]
0
[a≤0]
1
x=1
[i<1000]
2
3
c=0
i=1
3’
4
c=c+f(i)
i++
[i≥1000]
5
[a>0]
6
[x==0]
Err
Exit
[a≤0]
Control Flow Automata


It is a CFG with operations on the edges and
program counter on the vertexes
Formally

Operations (Ops) of 2 types








Assignment: l:=e
assume: assume(p)
CFA Cf=(PCf, pc0, pcout, Ef, Vf)
PCf is a set of locations (program counters)
pc0PCf is the start location
pcoutPCf is the exit location
Ef set of edges, Ef  PCf  Ops  PCf
Vf set of variables (?)
Weakest Preconditions

Given a logical formula j over a set of variables X.


j represents all X-states where the values of X satisfy j
The weakest precondition (WP) of j with regard
to the operation op  Ops (WP.j.op) is the set of
states that can reach a state in j after executing op
X={a}
Ops={a=0, a=1}
j =[a==1]
Therefore
j identifies {a=1}
WP.j.(a=1)={all}
WP.j.(a=0)={Ø}
Example of Paths
To execute must be
(j)
Path toa>0
pc=6
CFA
[a>0]
0
[a≤0]
1
x=1
[i<1000]
2
3
[a>0]
1
c=0
x=1
c=c+f(i)
i++
2
i=1
3
3’
4
0
[i≥1000]
5
6
[a≤0]
5
[a>0]
[x==0]
6
Err
Exit
i=1
3’
[i≥1000]
[a>0]
c=0
Trace
[a>0]
x=1
c=0
i=1
[i≥1000]
[a>0]
Variables
a
Cannot execute:
this is an
c
unfeasible
path
i
x
Paths and Slices





A path p from pc to pc’ is a sequence of edges of
the CFA such that: the destination of one and the
source of the next coincide, the source of the first
edge is pc and the destination of the last is pc’
A trace is the sequence of operations on the edges
of a path
A path is feasible if there is some state that can
execute it
A state s can reach a location pc if there exist a
path from pc0 to pc that can be executed by s
A Path Slice p’ is a subsequence of a path p
Completeness

p’ is a complete slice of p (path from pc0 to an error
location pce) if for every sWP.true.Tr.p’ either:



there exist a program path p’’ from pc0 to pce such that s
can execute p’’, or
S cannot reach pcout
Therefore if there is a complete slice to an error
location and it is feasible (therefore executable for
some state), we are guaranteed that for each state
that can execute the slice there exist an executable
path that reach the error location
Soundness


A path slice p’ of p is a sound slice if WP.true.(Tr.p)
 WP.true.(Tr.p’)
So a state that can execute the trace of a path can
execute the trace if a sound slice of it
Example
CFA
[a>0]
[i<1000]
[a>0]
0
[a≤0]
1
x=0
Slice
2
3
c=0
i=1
3’
4
c=c+f(i)
i++
[x==0]
c=c+f(i)
i++
Exit
x=0
[i<1000]
3
c=c+f(i)
i++
[i≥1000]
[a>0]
6
c=0
i=1
[i≥1000]
5
[a>0]
6
[x==0]
Err
2
3’
4
5
[a≤0]
0
1
3’
4
[x==0]
Err
[a>0]
0
x=0
Not Sound
slice
2
The path could c=0
execute in
s={a>0} the 3slice only in
[i<1000]
i=1
s’={a>0, x=0}
5
6
Slice
1
[i≥1000]
[a>0]
Complete and Sound Slice
Err
Path Slice Algorithm


Backward traversal of the CFA
Keep 2 information



lvalues set L (the set of lives values)
Step location pcs
An edge is added to the slice if



It assign one of the lvalues
If there is a branch that can bypass the current
step
If there is a path from the current edge to the
step edge that assign one of the lvalues
Experimental Results




Tested correctens of files handling in real programs
(fcron, wuftpd, make, privoxy, ijpeg, openssh, gcc)
In average the length of the Slice was 5% of the
length of the original trace
In case of longer traces the slices where much
shorter (0.1%)
Examples


Shortest trace 47 operations: output 27 operations (57%)
Longest trace 82,695 operations: output 43 operations
(less that 0.1%)
Conclusion





Path Slicing is an interesting technique to reduce the size of a
counter example
An linear algorithm that return a Sound and Complete path
slice is provided
Implemented in the Blast model checker
Experimental results on real programs proved the benefit of
that approach
Limitations



The implementation use a depth first search for counter
examples that returns very long traces
Imprecise model of the heap creates problems in the verification
of certain programs
Slow implementation of WrBt and By functions used by the
algorithm, don’t scale well