The document discusses various techniques for dealing with constraints that arise during symbolic execution. It outlines optimizations like constraint independence and solution caching to improve constraint solving performance. A heuristic approach called CORAL is presented that uses particle swarm optimization to solve constraints that stump exact solvers by iteratively improving infeasible solutions.

1. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Dealing with constraints in symbolic execution
Bernhard Mallinger
Programming Languages Seminar SS13
TU Wien
June 11th, 2013
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

2. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 Optimisations
Constraint independence
Solution caching
Incremental solving
3 Heuristic Approach
Motivation
CORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

3. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 Optimisations
Constraint independence
Solution caching
Incremental solving
3 Heuristic Approach
Motivation
CORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

4. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraints in Symbolic Execution
Constraints on variables are collected by analysing code:
1 i f (preproc) {
2 i f (extensive_preproc) {
3 // extensive preprocessing
4 }
5 }
extensive preprocessing-block is reached iff
PC ∧ preproc ∧ extensive_preproc is satisfiable
⇒ Unreachability test
⇒ Test case generator
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

5. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solvers
Depending on code, different kinds solvers are efficient
Linear arithmetic
Complex functions
General, unstructured constraints
. . .
Tremendous speedup in recent years (SAT)
Especially continuous functions still not solvable
Constraint solving dominates runtime
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

6. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 Optimisations
Constraint independence
Solution caching
Incremental solving
3 Heuristic Approach
Motivation
CORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

7. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraint independence
Constraint independence
In the path condition, all constraints are combined
⇒ but not all related
Separate logically independent groups
1 i f (preproc) {
2 // do preproc
3 }
4 // algo
5 i f (postproc) {
6 // do postproc
7 }
PC ∧ preproc ∧ postproc
PC ∧ preproc ∧ ¬postproc
PC ∧ ¬preproc ∧ postproc
PC ∧ ¬preproc ∧ ¬postproc
Variables related if appear in same constraint
⇒ Reachability problem
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

8. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraint independence
Constraint independence
In the path condition, all constraints are combined
⇒ but not all related
Separate logically independent groups
1 i f (preproc) {
2 // do preproc
3 }
4 // algo
5 i f (postproc) {
6 // do postproc
7 }
PC ∧ preproc ∧ postproc
PC ∧ preproc ∧ ¬postproc
PC ∧ ¬preproc ∧ postproc
PC ∧ ¬preproc ∧ ¬postproc
Variables related if appear in same constraint
⇒ Reachability problem
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

9. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Constraint independence
Constraint independence
In the path condition, all constraints are combined
⇒ but not all related
Separate logically independent groups
1 i f (preproc) {
2 // do preproc
3 }
4 // algo
5 i f (postproc) {
6 // do postproc
7 }
PC ∧ preproc ∧ postproc
PC ∧ preproc ∧ ¬postproc
PC ∧ ¬preproc ∧ postproc
PC ∧ ¬preproc ∧ ¬postproc
Variables related if appear in same constraint
⇒ Reachability problem
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

10. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Multiple queries contain same independent groups of
constraints ⇒ simply cache results
More elaborate: exploit repetitions in path conditions:
1 i f (preproc) {
2 i f (extensive_preproc) {
3 // do extensive preprocessing
4 }
5 }
PC ∧ preproc
PC ∧ preproc ∧ extensive_preproc
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

11. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint Solution
C1 = {preproc} S1 = {preproc → 1}
C2 = {preproc, ext_preproc} S2 = {preproc → 1,
ext_preproc → 1}
C3 = {preproc, ¬preproc} X
C4 = {preproc, ¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

12. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint Solution
C1 = {preproc} S1 = {preproc → 1}
C2 = {preproc, ext_preproc} S2 = {preproc → 1,
ext_preproc → 1}
C3 = {preproc, ¬preproc} X
C4 = {preproc, ¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

13. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint Solution
C1 = {preproc} S1 = {preproc → 1}
C2 = {preproc, ext_preproc} S2 = {preproc → 1,
ext_preproc → 1}
C3 = {preproc, ¬preproc} X
C4 = {preproc, ¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

14. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Solution caching
Solution caching
Constraint Solution
C1 = {preproc} S1 = {preproc → 1}
C2 = {preproc, ext_preproc} S2 = {preproc → 1,
ext_preproc → 1}
C3 = {preproc, ¬preproc} X
C4 = {preproc, ¬preproc, postproc } X
S2 is a solution to C1 due to C1 ⊆ C2
Since C3 is unsatisfiable, so is C4 as C3 ⊆ C4
S2 often is an extension of S1 since C1 ⊆ C2
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

15. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Incremental solving
Incremental solving
In queries generated in symbolic execution, often only the last
predicates differ
1 i f (postproc) {
2 i f (fancy_output) {
3 // print fancy statistics
4 }
5 }
PC ∧ postproc
PC ∧ postproc ∧ fancy_output
Determine set of variables which are dependent of variables in
last predicate, solve them and else reuse old solution
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

16. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Incremental solving
Empirical results
Figure: Performance with and without the solution cache and constraint
independence optimisation in KLEE. Source: Cadar et al., 2008
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

17. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 Optimisations
Constraint independence
Solution caching
Incremental solving
3 Heuristic Approach
Motivation
CORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

18. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Motivation
Motivation
Still many unsolvable path conditions
Can’t search exhaustively, so guess smartly, improve guesses
Reasonable way of “thinking”?
Reinterpret decision problem as optimisation problem
Minimise violations
New precondition: Locality in solution space
Works for all domains, given locality
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

19. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Motivation
Metaheuristics
Random initial solutions probably contain viable fragments
Optimise given invalid solutions by local search
Combine promising solutions
Steer towards regions of high objective value
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

20. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL
xtan(y)
+ z < x ∗ arctan(z) ∧
sin(y) + cos(y) + tan(y) ≥ x − z ∧
arctan(x) + arctan(y) > y
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

21. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL
Focus on floating point computation
Solves constraints by particle swarm optimisation (population
based metaheuristic)
Generates initial solutions randomly in range determined by
interval solver
“Solves all constraints that exact solvers manage and more”
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

22. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL: Stepwise Adaptive Weighting
Solutions with even minimal constraint violations are still
infeasible
Avoiding local optima is critical
Stepwise Adaptive Weighting (SAW)
Change objective function dynamically during runtime
Reward solutions that satisfy hard-to-solve constraints
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

23. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
CORAL
CORAL: Stepwise Adaptive Weighting
Solutions with even minimal constraint violations are still
infeasible
Avoiding local optima is critical
Stepwise Adaptive Weighting (SAW)
Change objective function dynamically during runtime
Reward solutions that satisfy hard-to-solve constraints
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

24. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Outline
1 Constraints in Symbolic Execution
2 Optimisations
Constraint independence
Solution caching
Incremental solving
3 Heuristic Approach
Motivation
CORAL
4 Conclusion
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution

25. Constraints in Symbolic Execution Optimisations Heuristic Approach Conclusion
Conclusion
Constraint solving dominates runtime of symbolic execution
Unsolvable constraints severely hinder symbolic execution
Some optimisations:
Constraint independence
Solution caching
Incremental solving
Harder constraints can/have to be solved (meta-)heuristically
Navigate reasonably, not exhaustively through search space
Try to goal-orientedly optimise infeasible solutions
Deal with local optima (e.g. by SAW)
Bernhard Mallinger Programming Languages Seminar SS13 TU Wien
Dealing with constraints in symbolic execution