SLIDE 1
Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken
PLDI, Santa Barbara, June 16, 2016
2
Automatically Reason about Programs
Symbolic Execution Program Verification Program Equivalence
Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa - - PowerPoint PPT Presentation
Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa - - PowerPoint PPT Presentation
Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016 Symbolic Execution Automatically Program Reason about Verification Programs Program Equivalence 2 Automatically reasoning about
SLIDE 2
SLIDE 3
Automatically reasoning about programs requires
3
SLIDE 4
testq %rdi, %rdi je .L1 xorq %rax, %rax .L0: movq %rdi, %rdx andq $0x1, %rdx addq %rdx, %rax shrq $0x1, %rdi jne .L0 cltq retq .L1: xorq %rax, %rax retq 4
SLIDE 5
5
addq $0x1, %rax rax β rax +64 164 64-bit bit-vector addition 64-bit constant previous value of rax
SLIDE 6
6
addq $0x1, %rax rax β rax +64 164 al β al +8 18 addb $0x1, %al
SLIDE 7
7
addq $0x1, %rax rax β rax +64 164 addb $0x1, %al
eax
32 bits
ax 16 bits al ah rax
al β al +8 18
8 bits 64 bits 8 bits
SLIDE 8
8
addq $0x1, %rax rax β rax +64 164 addb $0x1, %al
eax
32 bits
ax 16 bits al ah rax
al β al +8 18
8 bits 64 bits 8 bits
rax β rax 63: 8 β rax 7: 0 +8 18
SLIDE 9
9
rax β rax 63: 8 β rax 7: 0 +8 18 rax β rax[63: 32] β (rax[31: 0] +32 132) addw $0x1, %ax rax β rax 63: 16 β rax 15: 0 +16 116 addl $0x1, %eax addq $0x1, %rax rax β rax +64 164 addb $0x1, %al
SLIDE 10
10
rax β rax 63: 8 β rax 7: 0 +8 18 rax β 032 β (rax[31: 0] +32 132) addw $0x1, %ax rax β rax 63: 16 β rax 15: 0 +16 116 addl $0x1, %eax addq $0x1, %rax rax β rax +64 164 addb $0x1, %al
SLIDE 11
11
rax β rax 63: 8 β rax 7: 0 +8 18 rax β 032 β (rax[31: 0] +32 132) addw $0x1, %ax rax β rax 63: 16 β rax 15: 0 +16 116 addl $0x1, %eax addq $0x1, %rax rax β rax +64 164 addb $0x1, %al zf β 032 = (eax +32 132) cf β 01 β eax +33 133 [32,32] sf β eax +32 132 [31,31]
- f β Β¬eax 31,31 β§ (eax +32 132)[31,31]
pf β (eax +32 132)[0,0] β (eax +32 132)[1,1] β (eax +32 132)[2,2] β (eax +32 132)[3,3] β (eax +32 132)[4,4] β (eax +32 132)[5,5] β (eax +32 132)[6,6] β (eax +32 132)[7,7]
SLIDE 12
- Manual partial specifications
β CompCert [CACMβ09], BAP [CAVβ11], BitBlaze [ICISSβ08], Codesurfer/x86 [ETAPSβ05], McVeto [CAVβ10], STOKE [ASPLOSβ13], Jakstab [CAVβ08], many others
- Taly/Godefroid [PLDIβ12]
β Automatically synthesize specification from templates β Only 534 instructions
13
SLIDE 13
14
Bit-vector formulas of input-output behavior
SLIDE 14
15
Base set Specify manually Remaining Instructions Learn specification automatically All instructions
SLIDE 15
16
Instruction π Program π synthesize combine base formulas Formula π
Formal guarantee? π β‘ π How do we synthesize programs?
SLIDE 16
17
How do we synthesize programs?
Randomized search Guided by cost function Based on test-cases Using STOKE [ASPLOSβ13]
Instruction π Program π synthesize combine base formulas Formula π
SLIDE 17
18
Instruction π Program π synthesize combine base formulas Formula π
Formal guarantee? π β‘ π
π β‘ π
SLIDE 18
19
Instruction π Program π synthesize combine base formulas Formula π
Formal guarantee? π β‘ π
π β‘ π β‘ π
SLIDE 19
20
Instruction π Program π synthesize combine base formulas Candidate formula π
Formal guarantee? π β‘ π
π β‘ π β‘ π
SLIDE 20
21
Instruction π Program π synthesize combine base formulas Program πβ² π Φ
? πβ²
yes no β increase confidence Add counter example, remove wrong program(s)
β¦
Candidate formula π Candidate formula πβ² Candidate formula πβ²β²
SLIDE 21
22
π Φ
? πβ²
Increase confidence Remove incorrect program(s) No information about equivalence
SLIDE 22
23
π Φ
? πβ²
Increase confidence Remove incorrect program(s) No information about equivalence
SLIDE 23
24
π Φ
? πβ²
Increase confidence Remove incorrect program(s) No information about equivalence Equivalence class 1 Equivalence class 2
SLIDE 24
25
- Prefer programs whose formulas are
β Precise (fewest uninterpreted functions) β Fast (fewest non-linear arithmetic operations) β Simple (fewest nodes)
Equivalence class 1 Equivalence class 2 Equivalence class 3
SLIDE 25
26
- Prefer programs whose formulas are
β Precise (fewest uninterpreted functions) β Fast (fewest non-linear arithmetic operations) β Simple (fewest nodes)
Equivalence class 1 Equivalence class 2 Equivalence class 3
SLIDE 26
27
synthesize
SLIDE 27
28
SLIDE 28
29
addw %ax, %dx dx β dx +16 ax addw %cx, %bx
Learn
bx β bx +16 cx
Rename
addw (%rsp), %dx dx β dx +16 M rsp addw $0x5, %dx dx β dx +16 516
β β β
SLIDE 29
1. Learn formula for register-only instructions
- 2. Generalize formulas
β To other types of operands
- 3. Check on test inputs
30
SLIDE 30
31
shufps $0xb3, %xmm0, %xmm1
Solution: Brute force a formula for every constant Problem: No corresponding register-only variant
SLIDE 31
- Base set (51 instructions)
β Integer, bitwise and float operations β Data movement (including conditional move) β Conversion operations
- Pseudo instructions (11 templates)
β Split and combine registers β Changing status flags
32
SLIDE 32
- Total instructions
3,684
- Out-of-scope
β System instructions 302 β Crypto instructions 35 β Deprecated instructions 332 β String instructions 97
- Goal instructions
2,918
33
invpcid, jle aeskeygenassist fadd scasq
SLIDE 33
- Base set
51
- Pseudo instructions
11
- Register-only instructions learned
692
- Generalized
984
- 8-bit constant instructions learned
119.42
- Total formulas learned
1,795.42
34
SLIDE 34
35
Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 Automatically proven equivalent Equivalent with additional lemma 1,377.91 4
SLIDE 35
1,431.91 1,377.91 4
36
Compare with handwritten formulas (from STOKE) Available for comparison Automatically proven equivalent Equivalent with additional lemma
fadd π, π = fadd π, π
SLIDE 36
37
Compare with handwritten formulas (from STOKE) Available for comparison Automatically proven equivalent Equivalent with additional lemma Semantically different Handwritten formula correct Learned formula correct 50 50 1,431.91 1,377.91 4
SLIDE 37
38
stratum π = ΰ΅ if π β baseset 1 + max
πβ²βπ(π) stratum iβ²
- therwise
Stratum 0 Stratum 1 Stratum 2 Stratum 3 base set
SLIDE 38
39
stratum π = ΰ΅ if π β baseset 1 + max
πβ²βπ(π) stratum iβ²
- therwise
SLIDE 39
40
100 200 300 400 500 600 700 800 50 100 150 200 250 Number of formulas learned Wall-clock time elapsed [hours] Stratification Without stratification
SLIDE 40
41
number of nodes in learned formula number of nodes in handwritten formula Fully inlined: 3526 instructions
SLIDE 41
- 1. Automatically learned 1,795 formulas
- 2. Stratification key to scale program synthesis
- 3. Compare to hand-written specification
β More correct, equally precise, same size
Source code, formulas, experimental results
42
https://github.com/StanfordPL/strata/
SLIDE 42
43
SLIDE 43
1. Missing base instructions
Some integer and floating point operations are missing
2. Program synthesis limits
Shortest known program is long and outside of reach e.g., byte-vectorized operation
3. Cost function limitation
For one bit of output, the cost function does not give enough signal
- 4. Crazy instructions
44
SLIDE 44
- Total decisions
7,075
- Equivalent
6,669 (94.26%)
- New equivalence class
356 (5.03%)
- Counter-examples
50 (0.71%)
- Timeouts (45 seconds):
3
45
SLIDE 45
- Intel Xeon E5-2697 (28 cores) at 2.6 GHz
β 268.86 hours (register-only) β 159.12 hours (8-bit constants)
- Total of 11,983.37 core hours
46
SLIDE 46
- Random inputs (random machine state)
- βInterestingβ bit-patterns
0, 1, β1, 2π, NaN, Infinity
- Test cases learned from counter-examples
47
SLIDE 47
- Formulas are simplified
β Constant propagation β Move bit-selection over concatenation
264 β64 464
β‘ 864
064 β rax 63,0 β‘ rax
48
SLIDE 48
- Formula precision (number of uninterpreted functions)
β Learned formulas equally precise in all but 4 cases
- Formula quality (number of non-linear operations)
β Learned formulas contain same number of non- linear operations, except for 11 cases
49