Chef: Prototyping Symbolic Execution Engines for Interpreted Languages

CHEF
Prototyping Symbolic Execution Engines
for Interpreted Languages
School of Computer and Communication Sciences
EPFL, Switzerland
Stefan Bucur, Johannes Kinder, George Candea

View Slide

Automated Software Testing

View Slide

Symbolic execution

View Slide

Symbolic execution
is used for
bug ﬁnding, increasing coverage, debugging

View Slide

Symbolic execution
is used for
and applied on
device drivers, system utilities,
ﬁle parsers, distributed systems,

View Slide

Symbolic execution
is used for
and applied on
device drivers, system utilities,
ﬁle parsers, distributed systems,
interpreted programs
Today

View Slide

Symbolic Execution
int foo(int x) {
if (x > 10) {
return 2*x;
}
x = x + 1;
if (x > 5) {
return 3*x;
} else {
return x;
}
}

View Slide

Symbolic Execution
int foo(int x) {
if (x > 10) {
return 2*x;
}
x = x + 1;
if (x > 5) {
return 3*x;
} else {
return x;
}
}
x⟵λ

View Slide

λ>10 λ≤10
Symbolic Execution
int foo(int x) {
if (x > 10) {
return 2*x;
}
x = x + 1;
if (x > 5) {
return 3*x;
} else {
return x;
}
}
x⟵λ

View Slide

λ>10 λ≤10
Symbolic Execution
int foo(int x) {
if (x > 10) {
return 2*x;
}
x = x + 1;
if (x > 5) {
return 3*x;
} else {
return x;
}
}
ret 2λ
x⟵λ
x⟵λ+1

View Slide

λ+1>5
λ>10 λ≤10
Symbolic Execution
int foo(int x) {
if (x > 10) {
return 2*x;
}
x = x + 1;
if (x > 5) {
return 3*x;
} else {
return x;
}
}
ret 2λ
ret λ+1
λ+1≤5
x⟵λ
x⟵λ+1
ret 3(λ+1)

View Slide

Test case: λ = 6
(λ≤10)∧(λ+1>5)
λ+1>5
λ>10 λ≤10
Symbolic Execution
int foo(int x) {
if (x > 10) {
return 2*x;
}
x = x + 1;
if (x > 5) {
return 3*x;
} else {
return x;
}
}
ret 2λ
ret λ+1
λ+1≤5
Test cases for bug ﬁnding and statement coverage
x⟵λ
x⟵λ+1
ret 3(λ+1)

View Slide

Programming
Languages
Symbolic Execution
Engines

View Slide

Programming
Languages
Symbolic Execution
Engines
Scala
Java C#
C C++

View Slide

Programming
Languages
Symbolic Execution
Engines
Java Bytecode
LLVM
x86 ARM
Scala
Java C#
C C++
Compiled

View Slide

Programming
Languages
Symbolic Execution
Engines
Java Bytecode
LLVM
x86 ARM
Scala
Java C#
C C++
Compiled
BitBlaze
KLEE
JPF
SAGE
S2E

View Slide

Programming
Languages
Symbolic Execution
Engines
Java Bytecode
LLVM
x86 ARM
Scala
Java C#
C C++
Python Ruby
Lua JavaScript
Bash Perl
Compiled
BitBlaze
KLEE
JPF
SAGE
S2E

View Slide

Programming
Languages
Symbolic Execution
Engines
Java Bytecode
LLVM
x86 ARM
Scala
Java C#
C C++
Python Ruby
Lua JavaScript
Bash Perl
Compiled
BitBlaze
KLEE
JPF
SAGE
S2E
?

View Slide

def parse_file(file_name):
with open(file_name, "r") as f:
data = f.read()
return json.loads(data, encoding="utf-8")
Interpreted Languages

View Slide

data = f.read()
Complex semantics
Complete
File Read

View Slide

data = f.read()
Complex semantics
+
Ambiguity in speciﬁcations
Complete
File Read
Incomplete
Speciﬁcation

View Slide

data = f.read()
Complex semantics
+
+
Evolving language
Since
Python 2.5
Complete
File Read
Incomplete
Speciﬁcation

View Slide

data = f.read()
Complex semantics
+
+
Evolving language
+
Large standard library
Since
Python 2.5
Complete
File Read
Incomplete
Speciﬁcation

View Slide

data = f.read()
Complex semantics
+
+
Evolving language
+
+
Widespread native methods
Since
Python 2.5
Complete
File Read
Incomplete
Speciﬁcation

View Slide

data = f.read()
Complex semantics
+
+
Evolving language
+
+
Widespread native methods
Since
Python 2.5
Complete
File Read
Incomplete
Speciﬁcation
Signiﬁcant
Engineering Effort

View Slide

“Consequently, if you were coming from
Mars and tried to re-implement Python
from this document alone, you might
have to guess things and in fact you
would probably end up implementing
quite a different language.”
- The Python Language Reference

View Slide

How can we efﬁciently obtain
a correct symbolic execution engine?

View Slide

Key idea:
Use the language interpreter
as executable speciﬁcation

View Slide

Symbolic Execution
Engine for
Language X
CHEF
Key idea:
Language X
Interpreter

View Slide

Symbolic Execution
Engine for
Language X
CHEF
Program +
Symbolic Tests
Test Cases
Key idea:
Language X
Interpreter

View Slide

Chef Overview
• Built on top of the S2E symbolic
execution engine for x86
• Relies on lightweight interpreter
instrumentation + optimizations
• Prototyped engines for Python and Lua
in 5 + 3 person-days

View Slide

Talk Outline
1. Challenges
2. Class-Uniform Path Analysis (CUPA)
3. Interpreter Recipe
4. Uses and Evaluation

View Slide

Testing Interpreted Programs
Naive approach:
Run interpreter in a stock symbolic execution engine

View Slide

def validateEmail(email):
pos = email.find("@")
if pos < 1:
raise InvalidEmailError()
if email.rfind(".") < pos:
Naive approach:

View Slide

if pos < 1:
Naive approach:
Python Interpreter
./python program.py

View Slide

if pos < 1:
x86 Symbolic Execution Engine
(S2E)
Naive approach:
Python Interpreter
./python program.py

View Slide

Naive approach:

View Slide

Py_LOCAL_INLINE(Py_ssize_t)
fastsearch(const STRINGLIB_CHAR* s, Py_ssize_t n,
const STRINGLIB_CHAR* p, Py_ssize_t m,
Py_ssize_t maxcount, int mode)
{
unsigned long mask;
Py_ssize_t skip, count = 0;
Py_ssize_t i, j, mlast, w;
w = n - m;
if (w < 0 || (mode == FAST_COUNT && maxcount == 0))
return -1;
/* look for special cases */
if (m <= 1) {
Naive approach:

View Slide

STRINGLIB_BLOOM_ADD(mask, p[i]);
if (p[i] == p[0])
skip = i - 1;
}
for (i = w; i >= 0; i--) {
if (s[i] == p[0]) {
/* candidate match */
for (j = mlast; j > 0; j--)
if (s[i+j] != p[j])
break;
if (j == 0)
/* got a match! */
return i;
/* miss: check if previous character is part of
if (i > 0 && !STRINGLIB_BLOOM(mask, s[i-1]))
i = i - m;
else
i = i - skip;
} else {
/* skip: check if previous character is part of
i = i - m;
}
}
}
if (mode != FAST_COUNT)
Naive approach:

View Slide

if (p[i] == p[0])
skip = i - 1;
}
for (i = w; i >= 0; i--) {
if (s[i] == p[0]) {
if (s[i+j] != p[j])
break;
if (j == 0)
/* got a match! */
return i;
i = i - m;
else
i = i - skip;
} else {
i = i - m;
}
}
}
Naive approach:
Path Explosion

View Slide

if (p[i] == p[0])
skip = i - 1;
}
for (i = w; i >= 0; i--) {
if (s[i] == p[0]) {
if (s[i+j] != p[j])
break;
if (j == 0)
/* got a match! */
return i;
i = i - m;
else
i = i - skip;
} else {
i = i - m;
}
}
}
Gets lost in the details of the implementation
Naive approach:
Path Explosion

View Slide

High-level Execution Paths
if pos < 1:
High-level
execution tree

View Slide

if pos < 1:
High-level
execution tree
Low-level (x86)
execution tree

View Slide

if pos < 1:
HL/LL path ratio is low
due to path explosion
3 HL paths
10 LL paths
High-level
execution tree
Low-level (x86)
execution tree

View Slide

Goal:
Prioritize the low-level paths
that maximize the HL/LL path ratio.

View Slide

Alternative approach:
Select states at high-level
branches

View Slide

Fork
(low-level)
Divergence
(high-level)
branches

View Slide

Fork
(low-level)
Divergence
(high-level)
High-level fork points are
unpredictable
branches

View Slide

Talk Outline
1. Challenges

View Slide

Reducing Path Explosion
Program

View Slide

Fork points clustered in hot spots
Program Low High
Selection probability

View Slide

Program
“Fork bomb”
(e.g., input dependent loop)
Low High
Global DFS / BFS / randomized strategy

View Slide

Clusters grow bigger 㱺 Slower overall progress
Program
“Fork bomb”
Low High

View Slide

Clusters grow bigger 㱺 Slower overall progress
Program
“Fork bomb”
Low High
Reduced state diversity

View Slide

Program
Idea:
Partition the state space into groups

View Slide

Program
Idea:
Select group
Select state
from group

View Slide

Program
Idea:
Select group
Select state
from group
Faster progress across all groups

View Slide

Program
Idea:
Select group
Select state
from group
Faster progress across all groups
Increased state diversity

View Slide

Class-Uniform Path Analysis

View Slide

Class-Uniform Path Analysis
States arranged in a class hierarchy
Class 1
Class 2

View Slide

Partitioning High-level Paths

View Slide

High-level Instruction
(Bytecode Instruction)

View Slide

High-level
Program Counter

View Slide

Low-level
x86 PC
High-level
Program Counter

View Slide

Low-level
x86 PC
High-level
Program Counter
1st CUPA Class

View Slide

Low-level
x86 PC
High-level
Program Counter
1st CUPA Class
2nd CUPA Class
Reconstruct high-level execution tree

View Slide

CUPA Classes
1. High-level PC
• Uniform HL instruction exploration
• Obtained via instrumentation
2. x86 PC
• Uniform native method exploration
• Approximated as the PC of fork point
Coverage-optimized CUPA in the paper

View Slide

Talk Outline
1. Challenges

View Slide

switch (opcode) {
case LOAD:
...
case STORE:
...
case CALL_FUNCTION:
...
...
}
hlpc++;
}
Interpreter Loop Instrumentation
while (true) {
fetch_instr(hlpc, &opcode, &params);

View Slide

switch (opcode) {
case LOAD:
...
case STORE:
...
case CALL_FUNCTION:
...
...
}
hlpc++;
}
Interpreter Loop Instrumentation
while (true) {
fetch_instr(hlpc, &opcode, &params);
Reconstruct high-level execution tree and CFG
chef_log_hlpc(hlpc, opcode);

View Slide

Interpreter Optimizations
static long
string_hash(PyStringObject *a)
{
#ifdef SYMBEX_HASHES
return 0;
#else
register Py_ssize_t len;
register unsigned char *p;
register long x;
len = Py_SIZE(a);
p = (unsigned char *) a->ob_sval;
x = _Py_HashSecret.prefix;
x ^= *p << 7;
while (--len >= 0)
x = (1000003*x) ^ *p++;
x ^= Py_SIZE(a);
x ^= _Py_HashSecret.suffix;
if (x == -1)
x = -2;
return x;
#endif
}
Hash neutralization

View Slide

• Simple changes to interpreter source
static long
{
return 0;
#else
register long x;
len = Py_SIZE(a);
x ^= *p << 7;
while (--len >= 0)
x = (1000003*x) ^ *p++;
x ^= Py_SIZE(a);
if (x == -1)
x = -2;
return x;
#endif
}
Hash neutralization

View Slide

• “Anti-optimizations” in linear
performance...
static long
{
return 0;
#else
register long x;
len = Py_SIZE(a);
x ^= *p << 7;
while (--len >= 0)
x = (1000003*x) ^ *p++;
x ^= Py_SIZE(a);
if (x == -1)
x = -2;
return x;
#endif
}
Hash neutralization

View Slide

• “Anti-optimizations” in linear
performance...
• ... but exponential gains in symbolic
mode
static long
{
return 0;
#else
register long x;
len = Py_SIZE(a);
x ^= *p << 7;
while (--len >= 0)
x = (1000003*x) ^ *p++;
x ^= Py_SIZE(a);
if (x == -1)
x = -2;
return x;
#endif
}
Hash neutralization

View Slide

Program +
Symbolic Tests
Symbolic Execution
Engine for
Language X
Chef Summary
Language X
Interpreter
(+instrumentation)
CHEF API
HL Tree
Reconstr.
CUPA
State
Selection
S2E x86 Symbolic Execution
CHEF

View Slide

Talk Outline
1. Challenges

View Slide

Chef-Prototyped Engines
Python
5 person-days
321 LoC
Lua
3 person-days
277 LoC

View Slide

Evaluation Questions
How does a Chef-obtained engine...
• ... work for test case generation?
• ... beneﬁt from CUPA and optimizations?
• ... compare to a dedicated implementation?

View Slide

Using a Chef Engine
class ArgparseTest(SymbolicTest):
def setUp(self):
self.argparse = import_module("argparse")
def runTest(self):
parser = self.argparse.ArgumentParser()
arg_name = self.getSymString(size=3)
arg_value = self.getSymString(size=3)
parser.add_argument(arg_name)
args = parser.parse_args([arg_value])

View Slide

Using a Chef Engine
class ArgparseTest(SymbolicTest):
def setUp(self):
self.argparse = import_module("argparse")
def runTest(self):
parser = self.argparse.ArgumentParser()
arg_name = self.getSymString(size=3)
arg_value = self.getSymString(size=3)
parser.add_argument(arg_name)
args = parser.parse_args([arg_value])
CHEF
Symbolic Test
Library
Program

View Slide

Testing Python Packages
xlrd
simplejson
argparse
HTMLParser
ConﬁgParser
unicodecsv
6 Popular Packages
10.9K lines of Python code
30 min. / package
> 7,000 tests generated
4 undocumented exceptions found

View Slide

Testing Python Packages
xlrd
simplejson
argparse
HTMLParser
ConﬁgParser
unicodecsv
6 Popular Packages
10.9K lines of Python code
30 min. / package
> 7,000 tests generated
4 undocumented exceptions found
High bug ﬁnding potential for dynamic languages

View Slide

xlrd simplejson
argparse
HTMLParser
ConﬁgParser
unicodecsv
Efﬁciency
Package
0.1
1
10
100
1000
10000
Path Ratio (P / PBaseline)
CUPA + Optimizations
Baseline

View Slide

xlrd simplejson
argparse
HTMLParser
ConﬁgParser
unicodecsv
Efﬁciency
Package
0.1
1
10
100
1000
10000
Path Ratio (P / PBaseline)
CUPA + Optimizations
Optimizations Only
CUPA Only
Baseline

View Slide

Comparison to Dedicated Engine
• Symbolic execution engine of NICE [1]
• Targets OpenFlow applications in Python
• Case Study: Switch MAC learning algorithm
[1] M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford.
“A NICE way to test OpenFlow applications.” NSDI 2012.

View Slide

Overhead
1
10
100
1000
1 2 3 4 5 6 7 8 9 10
Size of Symbolic Input [# of Ethernet frames]
CHEF Overhead
TCHEF
/TNICE

View Slide

Overhead
1
10
100
1000
1 2 3 4 5 6 7 8 9 10
CHEF Overhead
TCHEF
/TNICE
>100×

View Slide

Overhead
1
10
100
1000
1 2 3 4 5 6 7 8 9 10
CHEF Overhead
TCHEF
/TNICE
>100×
5×
O
ne-tim
e
Initialization

View Slide

Overhead
1
10
100
1000
1 2 3 4 5 6 7 8 9 10
CHEF Overhead
TCHEF
/TNICE
>100×
5×
40×
O
ne-tim
e
Initialization
x86 Reasoning Overhead
(Instructions + Constraints)

View Slide

Chef Engine as Reference Implementation
Chef-Python Reference Paths

View Slide

Test Cases
NICE
Dedicated
Engine

View Slide

Test Cases
NICE
Dedicated
Engine
Missing Paths
Duplicate Paths
Chef engine’s correctness outweighs performance penalty

View Slide

Conclusions
http://dslab.epfl.ch/proj/chef
CHEF
Program +
Symbolic Tests
Language X
Interpreter
Test Cases

View Slide

Chef: Prototyping Symbolic Execution Engines for Interpreted Languages

Chef: Prototyping Symbolic Execution Engines for Interpreted Languages

Stefan Bucur

More Decks by Stefan Bucur

Other Decks in Research

Featured

Transcript