Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan

Test Case Generation for Heap Inputs using

Separation Logic

Quang Loc Le

A joint work with many collaborators

NII Shonan Meeting Seminar 100, Japan

Oct 2, 2017

Loc Le (Teesside University) Program Testing using Separation Logic Oct 2, 2017 1 / 34

Test Case Generation for Heap Inputs

Input: a Java program and its Precondition

Output: Valid test cases

Goal: high coverage



Approach: Symbolic Execution

Path condition

Branching

SAT solver



Symbolic Execution with Lazy Initialization

JPF - 2003: Assign values to heap inputs on demand1 x ← null

2 x ← currentObj

3 x ← newObj

BBE - 2004: with repOK

JBSE - 2015: with HEX logical precondition



Symbolic Execution with Lazy Initialization

JPF - 2003

BBE - 2004

JBSE - 2015: with logical precondition for validation

only regular shape

no pure propertiesbounded - unsound SAT for induction



Symbolic Execution

Lazy Initialization with Least Fixed Point

SAT solver with induction reasoning


Add two numbers represented by linked lists

pred list pair(a,b) ≡ emp ∧ a = null ∧ b = null

∨ ∃n1,n2.a 7→Node( ,n1) ∗ b 7→Node( ,n2) ∗ list pair(n1,n2)



Input:

Program

Node add(Node x, Node y){Node dummyHead = new Node(0,null);Node z = dummyHead;while(x != null) {z.next = new Node(x.next+ y.next,null);x = x.next;y = y.next; z = z.next; }return dummyHead.next; }

Precondition

list pair(x , y)

Output: Test Cases

X=null ∧ Y=nullX 7→Node( ,null) ∗ Y 7→Node( ,null)



1 Node add(Node x, Node y){2 Node dummyHead = new Node(0,null);3 Node z = dummyHead;4 while(x != null) {5 z.next = new Node(x.next+ y.next,null);6 x = x.next;7 y = y.next; z = z.next; }8 return dummyHead.next; }

pc : ∃D,Z .list pair(X ,Y ) ∗ D 7→Node( ,null) ∧ Z=D

pc : ∃D,Z .(X=null ∧ Y=null) ∗ D 7→Node( ,null) ∧ Z=D

pc : ∃D,Z ,N1,N2.X 7→Node( ,N1) ∗ Y 7→Node( ,N2) ∗ list pair(X ,Y )∗D 7→Node( ,null) ∧ Z=D


Experimental Results

benchmarks: 74 methods - Singly Linked List, Doubly Linked List,

Stack, Binary Search Tree, and Red Black Tree from SIR; AVL

Tree and AA Tree from Sierum/Kiasan, and Gantt project from

SUSHI (ISSTA 2017).

Valid Test: BBE (8.14%), JBSE (0.72%), ours (100%)

Coverage: BBE (38.01%), JBSE (33.23%), ours (99.1%)


1 Program Testing

2 SAT Solver

Syntax

Problem

Decidable Fragment

3 Conclusion


A fragment of Separation Logic

Formula Φ ::= ∆ | Φ1 ∨ Φ2 ∆ ::= ∃v̄ . (κ∧π)Spatial formula κ ::= emp | x 7→c(vi) | P(v̄) | κ1∗κ2

Pure formula π ::= π1∧π2 | α | φ

α: Pointer (Dis)Equalities

φ: Presburger arithmetic

P: inductive predicate. Predicate Definition: P(̄t) ≡ Φ

Warning: no pointer arithmetic and no magic wand


Satisfiability Problem

Input: A formula ∆ in the fragment

Question: Is ∆ satisfiable?

Challenges:

Unbounded heaps

Infinite numerical domain


Proof by Induction

Base case

Induction case

Cyclic Proof (J. Brotherston - UCL, J.

Jaffa et. al. - NUS)

∆0

∆11 ∆⋆

12

∆21 ∆22 ∆31 ∆⋆

32

Weaken ∆32 to ∆′32

Find σ s.t. ∆′32σ ⇒ ∆12


Cyclic Proof

From Entailment Problem (∆a⊢∆c) to Satisfiability Problem

(∆a⊢false )

Shape and Integer domains

link back simultaneously (CAV 2016)

Shape then Integer (CAV 2017)


Our Approach - CAV 2017

Decision Procedure: Base Computation

Compute for each inductive predicate a finite representation that

precisely characterises its satisfiability.


Base of Inductive Predicate: Example 1

Inductive predicate: Singly-linked list with size property

pred ll size(root,n) ≡ emp∧root=null∧n=0

∨ ∃ r ,n1· root7→node( ,r) ∗ ll size(r ,n1) ∧ n=n1+1

Example:

baseP(ll size(root,n))≡{emp∧root=null∧n=0,root7→node( , )∧n>0}


Projections

Inductive predicate: Singly-linked list with size property

pred ll size(root,n) ≡ emp∧root=null∧n=0

∨ ∃ r ,n1· root7→node( ,r) ∗ ll size(r ,n1) ∧ n=n1+1

Spatial projection

ll sizeS(root) ≡ emp ∧ root=null

∨ ∃ r · root7→nodeS(r)∗ll sizeS(r)

Numerical projection

ll sizeN(n) ≡ n=0

∨ ∃ n1· ll sizeN(n1)∧n=n1+1


Phase 1: Cyclic Tree for Spatial projection

ll sizeS(root) ≡ emp ∧ root=null

∨ ∃ r · root7→nodeS(r)∗ll sizeS(r)

∆0 ≡ ll sizeS(root)∆1 ≡ emp ∧ root=null

∆2 ≡ ∃ r · root7→nodeS(r)∗ll sizeS(r)

∆0

∆1 ∆2

{emp∧root=null,root7→node( , )}

Why not continue unfolding?


Foundation of Base Computation

For each formula, eliminating existentially quantified pointer-typed

variables produces an equi-satisfiable formula.

Example: ∆2 ≡ ∃ r · root7→nodeS(r)∗ll sizeS(r)is equi-satisfiable with

∆b2 ≡ ∃ r · root7→nodeS(r)


Phase 2: Cyclic Tree for Numeric projection

ll sizeN(n) ≡ n=0

∨ ∃ n1· ll sizeN(n1)∧n=n1+1

Cyclic Tree for Numeric Projection is the same unfolding pattern to the

one for Spatial Projection

π0 ≡ ll sizeN(n)π1 ≡ n=0

π2 ≡ ∃ n1· ll sizeN(n1)∧n=n1 + 1

π0

π1 π2

{n=0,n>0}find closure form of ll sizeN(n1).


Base Computation

Finite Representation: Base Formula (without inductive predicates)

Combining empty heap (emp), points-to (7→), spatial conjunction

(∗) and Presburger Arithmetic

Example:

SAT ∆1≡emp∧x=null∧n=0

UNSAT ∆2≡x 7→node(n,y) ∗ y 7→node(n−1,null)∧x=y

The fragment of base formulas is decidable

(Piskac, Wies and Zufferey - CAV 2013, Navarro and Rybalchenko

- APLAS 2013)


Base Computation

Given an inductive predicate P(x̄)≡Φ,

1 Construct a cyclic unfolding tree for ∆0 ≡ P(x̄)

2 Flatten the tree into a disjunctive set of base formulas

∆0

∆11 ∆⋆

12

∆21 ∆22 ∆31 ∆⋆

32

∆0

∆11 ∆b31

∆21 ∆22

baseP(P(x̄))≡{∆21,∆b

31}


Constructing Cyclic Unfolding Tree

Given an inductive predicate P(x̄)≡Φ, construct a unfolding tree for

∆0≡P(x̄) through iterations of actions:

1 Choose a (open) leaf, close it ifit can be reduced into a base formula.

a base formula

a formula in which pointer-typed parameters of every inductive

predicates are existentially quantified.

its over-approximation is unsat.

can be linked back to form a circular path.

2 Otherwise, unfold it.

∆0

∆11 ∆⋆

12

∆21 ∆22 ∆31 ∆⋆

32


Example 2: Constructing Cyclic Unfolding Tree

pred Q(x ,y ,n) ≡ ∃ y1.x 7→node(null,y1)∧y=null∧x 6=null∧n=1

∨ ∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2;

∆0 ≡ Q(x ,y ,n)

1 Base Detection. None

2 Over-Approximation. π0 ≡ true .

Not UNSAT

3 Cyclic Detection. None

∆0

Figure : Unfolding Tree T0.



pred Q(x ,y ,n) ≡ ∃ y1.x 7→node(null,y1)∧y=null∧x 6=null∧n=1

∨ ∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2;

∆2≡∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2

∆3≡∃ x1,y1,n1,y2.y 7→node(x1,y1) ∗ x 7→node(null, y2) ∧y1=null∧x 6=null∧n1=1∧y 6=null∧n=n1+2

∆4≡∃ x1,y1,n1,x2,y2,n2.y 7→node(x1,y1)∗y1 7→node(x2,y2)∗Q(x , y2,n2) ∧y1 6=null∧n1=n2+2∧y 6=null∧n=n1+2

1 Base Detection. ∆3

2 Over-Approximation. π4≡.....Not UNSAT

3 Cyclic Detection. Yes

∆0

∆1 ∆♣2

∆3 ∆♣4

Figure : T Q2 .



Cyclic Detection

∆2≡∃ x1,y1,n1.y 7→node(x1,y1) ∗ Q(x , y1,n1)∧y 6=null∧n=n1+2

∆4≡∃ x1,y1,n1,x2,y2,n2.y 7→node(x1,y1)∗y1 7→node(x2,y2)∗Q(x , y2,n2) ∧y1 6=null∧n1=n2+2∧y 6=null∧n=n1+2

Steps

1 matching externally visible points-to predicate: y 7→node( , )

2 matching externally visible inductive predicates: Q(x , , )

In general, we may need to group isomorphic inductive predicatesbeforehand (same predicate name and same sequence of free

arguments)

3 matching externally visible (dis)equalities over pointers: y 6=null


Example 2: Flattening Cyclic Unfolding Tree

∆0

∆1 ∆♣2

∆3 ∆♣4



∆0

∆1 ∆♣2

∆3 ∆♣4

∆0

∆1 ∆2

∆3 ∆4

∆13 ∆1

4

...

∆flat3 ≡∆3 ∨∆1

3 ∨ ...

∆3≡ ∃ x1,y1,n1,y2.(y 7→node(x1,y1)∗x 7→node(null, y2)∧x 6=null∧y 6=null∧n=n1+1) ∧ (y1=null∧n1=1)

∆13≡∃ x1,y1,n1,x2,y2,n2,y3.(y 7→node(x1,y1)∗x 7→node(null, y3)∧x 6=null

y 6=null∧n=n1+1) ∗ (y1 7→node(x2,y2)∧y2=null∧n1=n2+2∧n2=1)



∆0

∆1 ∆♣2

∆3 ∆♣4

Pcyc(n1)≡n1=1 ∨ ∃n2.n1=n2+2∧Pcyc(n2)

Pcyc(n1)≡∃k .n1=2k+1∧k≥0

∆b3 is equi-satisfiable to ∆flat

3 :

∆b3≡∃ x1,y1,x2,y2,n1.(y 7→node(x1,y1)∗x 7→node(null, y2)∧x 6=null∧

y 6=null∧n=n1+1)∧(∃k .n1=2k+1∧k≥0)


Flattening Cyclic Unfolding Tree

∆0

∆1 ∆♣2

∆3 ∆♣4

=⇒

∆0

∆1 ∆b3

baseP(Q(x,y,n))≡{∆1,∆b

3}


Proposed Decidable Fragment

An inductive predicate is in the proposed decidable fragment if all

numerical projections of base leaves; and

Pcyc predicates

are Presburger-definable (i.e., can be computed as Presburger

formulas).

Some systems of arithmetic inductive predicates arePresburger-definable:

DPI (Tatsuta et. al. - APLAS 2016)

periodic sets (Bozga et. al. - CAV 2010)


Conclusion

Test Input Generation using Separation Logic

A decision procedure for an extensible decidable fragment in

separation logic including general inductive predicates and

arithmetic

Base Computation:

Construct Unfolding Tree

∆0

∆11 ∆⋆

12

∆21 ∆22 ∆31 ∆⋆

32

Flatten Unfolding Tree

∆0

∆11 ∆b31

∆21 ∆22

baseP(P(v̄))≡{∆21,∆b

31}


Future Work

SAT solver

array separation logic with inductive predicates

extension of separation logic with string logic

Cyclic proof: ENT to SAT and now back to ENT

for bi-abduction problem

completeness


Documents

Test Case Generation for Heap Inputs using Separation Logic · Test Case Generation for Heap Inputs using Separation Logic Quang Loc Le A joint work with many collaborators NII Shonan