1 / 27

Predicate Abstraction of ANSI-C Programs using SAT

Predicate Abstraction of ANSI-C Programs using SAT. Edmund Clarke Daniel Kroening Natalia Shar y gina Karen Yorav (modified by Zaher Andraus for presentation in SWERVE only). Abstraction Refinement Loop. No error or bug found. Initial Abstraction. Verification. Actual Program.

jorn
Download Presentation

Predicate Abstraction of ANSI-C Programs using SAT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicate Abstraction ofANSI-C Programs using SAT Edmund Clarke Daniel KroeningNatalia SharyginaKaren Yorav (modified by Zaher Andraus for presentation in SWERVE only)

  2. Abstraction Refinement Loop No erroror bug found Initial Abstraction Verification ActualProgram ModelChecker BooleanProgram Spurious counterexample Abstraction refinement • This talk: How to compute Boolean program from • Actual ANSI-C program • Set of predicates

  3. Example int main() { bool p1, p2; p1=TRUE; p2=TRUE; while(p2) { p1=p1?FALSE:nondet(); p2=!p2; } } int main() { int i; i=0; while(even(i)) i++; } + = p1 i=0 p2 even(i)

  4. Problem Concrete Transition (basic block) Concretestate Concretenext state Abstraction function (predicates) Abstractstate Abstractnext state Abstract Transition (basic block)

  5. Background • How to create the initial predicates for abstraction? • (PVS) Manual! (Graf and Saidi, “Construction of abstract state graphs with PVS”) • (SLAM) Manual! (Ball, Majumdar, Millstein, Rajamani, “Automatic Predicate Abstraction of C Programs”) • (Clarke) Control-Driven! (Chaki, Clarke, Groce, Strichman, “Predicate Abstraction with Minimum Predicates”) (modified by Zaher Andraus for presentation in SWERVE only)

  6. Initial Abstract Machine (modified by Zaher Andraus for presentation in SWERVE only)

  7. Optimizations • Eliminate Redundant Predicates (e.g. logically related) • Dynamic • Now we got the Predicates, we need to build the abstract machine! (modified by Zaher Andraus for presentation in SWERVE only)

  8. Existing Tools • Basic idea: with n predicates, there are2n£ 2n possible abstract transitions • Eliminate “obviously wrong” transitions(e.g.: predicate about variable x changes, but basic block does not mention x) • Try some subset of these possible transitions using a theorem prover • To be safe, remaining abstract transitions are added Over-approximation

  9. Existing Tools: Example Predicates Basic Block Formula i++; Query  ? Current Abstract State Next Abstract State

  10. Existing Tools: Example Predicates Basic Block Formula i++; Query  ? … and so on … Current Abstract State Next Abstract State

  11. Comment • This takes care of unreachable abstract states (modified by Zaher Andraus for presentation in SWERVE only)

  12. What is the problem? Problem of existing tools: • Large number of expensive theorem prover calls – slow • Over-approximation yields additional,unnecessary spurious counterexamples • Theorem prover works on natural numbers, but ANSI-C uses bit-vectors  false positives • Most theorem provers support only few operators(+, -, <, ≤, …), no bitwise operators • Very limited support for pointers,in particular pointer arithmetic

  13. Our Solution – use SAT solver! • Generate query equation withpredicates as free variables

  14. Our Solution Single query for Theorem Prover Query for SAT

  15. Queries for Larger Basic Blocks Basic Block Predicates i++; j=i; i=i*k; i1=i0+1; j1=i1; i2=i1*k0; + Query for SAT

  16. Our Solution Query for SAT Use SAT solver! • Generate query equation withpredicates as free variables • Transform equation into CNF using Bit Vector LogicOne satisfying assignment matches one abstract transition • Obtain all satisfying assignments= most precise abstract transition relation

  17. Our Solution Use SAT solver! • Generate query equation withpredicates as free variables • Transform equation into CNF using Bit Vector LogicOne satisfying assignment matches one abstract transition • Obtain all satisfying assignments= most precise abstract transition relation This solves two problems: • Now can do all ANSI-C integer operators, including *, /, %, <<, etc. • Sound with respect to overflow No moreunnecessary spurious counterexamples!

  18. Pointers Support for pointer expressions: • Address expression is translated into a bit vector with two components: • Object pointed at • Integer width offset within object (for arrays) • Supported operators: • &, *, [i] • Pointer + Integer (increases offset) • Pointer – Pointer • Pointer rel Pointer, with rel one of <,>,=, etc. • Check for illegal pointer operations added automatically • NULL reference, array bounds violation, etc…

  19. Pointers: Explanation… • Paper p. 113-114 (modified by Zaher Andraus for presentation in SWERVE only)

  20. Control-Flow Statements • Paper p. 117 (modified by Zaher Andraus for presentation in SWERVE only)

  21. The Set of Satisfying Assignments How do we obtain the set of all satisfying assignments? • This is a common problem – also needed for • Image computation / hardware verification • QBF solvers • Naïve approach: • Run SAT • If Satisfying assignment found then • add blocking clause • continue with 1)

  22. Performance How does the performance compare with existing approaches? • Runtime potentially exponential • Exponential part is inside SAT solver,instead of exponential number ofTheorem Prover calls • SAT solver is not re-started; all the learning and pruning done by modern SAT solvers is retained between iterations. • All heuristics for “obvious” transitions are still applicable

  23. Performance • Worst case:all possible assignments are satisfying • Formula includes addition operator • Runtime uncritical up to 2^14 assignments

  24. Performance • More realistic experiment: two 32-bit variables, plus n predicates • Various operators: +, <, shifting, xor, or, and, combinations thereof, … • All predicates are affected by basic block Compare to 2n£ 2n potential theorem prover calls!

  25. Performance Improvements Better than enumerating? • Approximation of set cover obtains small set of predicates that is actually required to cover the CNF • Analyze literal dependency graph to identify free variables Both techniques yield a set of abstract transitions

  26. Performance Improvements Expensive operators Instead of adding full clause structure for expensive operators such as %, /, *,make it uninterpreted, and add important properties as constraints: • Transitivity • Congruence Closure • Commutativity • Special cases (x/1=x, …) • Others: x/y, y>1  x>x/y etc.

  27. Future Work • Interval abstraction for floating point arithmetic • Experiments with full abstraction refinement loop: Evaluate effect of more precise abstraction • Try predicate abstraction to actually prove properties of computed values • Predicate abstraction for concurrent programs

More Related