Program verification by lazy abstraction
Download
1 / 91

Program Verification by Lazy Abstraction - PowerPoint PPT Presentation


  • 172 Views
  • Uploaded on

Program Verification by Lazy Abstraction. Lecture 1. Ranjit Jhala UC San Diego. With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre. Software Validation. Large scale reliable software is hard to build and test Different groups write different components

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Program Verification by Lazy Abstraction' - kimo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Program verification by lazy abstraction

Program Verification byLazy Abstraction

Lecture1

Ranjit Jhala

UC San Diego

With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre


Software validation
Software Validation

  • Large scale reliable software is hard to build and test

  • Different groups write different components

  • Integration testing is a nightmare


Property checking
Property Checking

  • Programmer gives partial specifications

  • Code checked for consistency w/ spec

  • Different from program correctness

    • Specifications are not complete

    • Is there a complete spec for Word ? Emacs ?


Interface usage rules
Interface Usage Rules

  • Rules in documentation

    • Order of operations & data access

    • Resource management

    • Incomplete, unenforced, wordy

  • Violated rules ) bad behavior

    • System crash or deadlock

    • Unexpected exceptions

    • Failed runtime checks


Property 1 double locking

lock

unlock

unlock

lock

Property 1: Double Locking

“An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.”

Calls to lock and unlock must alternate.


Property 2 drop root privilege
Property 2: Drop Root Privilege

[Chen-Dean-Wagner ’02]

“User applications must not run with root privilege”

When execv is called, must have suid  0


Property 3 irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property 3 : IRP Handler

[Fahndrich]


Does a given usage rule hold
Does a given usage rule hold?

  • Undecidable!

    • Equivalent to the halting problem

  • Restricted computable versions are

    prohibitively expensive (PSPACE)

  • Why bother ?

    • Just because a problem is undecidable,

      it doesn’t go away!


Example

lock

unlock

unlock

lock

Example

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}


What a program really is

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

What a program really is…

State

Transition

3: unlock();

new++;

4:} …

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;}


The safety verification problem
The Safety Verification Problem

Error

Safe

Initial

Is there a path from an initial to an error state ?

Problem:Infinitestate graph

Solution : Set of states ' logical formula


Representing states as formulas
Representing States asFormulas

[F]

states satisfyingF {s | s² F }

F

FO fmla over prog. vars

[F1] Å [F2]

F1ÆF2

[F1] [ [F2]

F1 ÇF2

[F]

: F

[F1] µ [F2]

F1 implies F2

i.e. F1Æ: F2 unsatisfiable


Idea 1 predicate abstraction
Idea 1: Predicate Abstraction

  • Predicates on program state:

    lock

    old = new

  • States satisfying same predicates

    are equivalent

    • Merged into one abstract state

  • #abstract states is finite


Abstract states and transitions

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstract States and Transitions

State

3: unlock();

new++;

4:} …

Theorem Prover

lock

old=new

: lock

: old=new


Abstraction

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstraction

State

3: unlock();

new++;

4:} …

Theorem Prover

lock

old=new

: lock

: old=new

Existential Lifting


Abstraction1

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstraction

State

3: unlock();

new++;

4:} …

lock

old=new

: lock

: old=new


Analyze abstraction
Analyze Abstraction

Analyze finite graph

Over Approximate:

Safe ) System Safe

No false negatives

Problem

Spurious counterexamples


Idea 2 counterex guided refinement
Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction!


Idea 2 counterex guided refinement1
Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

Imprecision due to merge


Iterative abstraction refinement
Iterative Abstraction-Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

-eliminates counterexample

3. Repeat search

Till real counterexample

or system proved safe

[Kurshan et al 93] [Clarke et al 00]

[Ball-Rajamani 01]


Lazy abstraction
Lazy Abstraction

Yes

BLAST

Safe

Abstract

CProgram

Refine

No

Property

Trace


Problem abstraction is expensive
Problem: Abstraction is Expensive

Reachable

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

Observe

Fraction of state space reachable

#Preds ~ 100’s, #States ~ 2100 ,

#Reach ~ 1000’s


Solution1: Only Abstract Reachable States

Safe

Solution

Build abstraction during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries


Solution2: Don’t Refine Error-Free Regions

Error

Free

Solution

Don’t refine error-free regions

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries


Key idea reachability tree
Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

5

4

3


Key idea reachability tree1
Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

5

3

3

Error Free


Key idea reachability tree2
Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE


Build and search
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK


Build and search1
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

1

2

Reachability Tree

Predicates:LOCK


Build and search2
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

[q!=NULL]

3

LOCK

1

2

3

Reachability Tree

Predicates:LOCK


Build and search3
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

4

1

2

3

Reachability Tree

Predicates:LOCK


Build and search4
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

[new==old]

5

: LOCK

5

4

1

2

3

Reachability Tree

Predicates:LOCK


Build and search5
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK


Analyze counterexample
Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

[q!=NULL]

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

[new==old]

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK


Analyze counterexample1
Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

old = new

2

LOCK

3

LOCK

new++

4

: LOCK

[new==old]

5

: LOCK

5

Inconsistent

4

: LOCK

new == old

1

2

3

Reachability Tree

Predicates:LOCK


Repeat build and search
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search1
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK , new==old

1

2

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search2
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

q->data = new

unlock()

new++

4

: LOCK , : new = old

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search3
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new==old]

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search4
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new!=old]

1

: LOCK,

: new == old

4

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search5
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old


Key idea reachability tree3
Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE


Two handwaves
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old


Two handwaves1
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

3

LOCK , new==old

LOCK , new==old

q->data = new

unlock()

new++

4

4

4

LOCK , new=old

: LOCK , : new = old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old


Two handwaves2
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

Q. How to find predicates ?

1

5

5

Refinement

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Predicates:LOCK, new==old


Two handwaves3
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

Refinement

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Predicates:LOCK, new==old


Weakest preconditions
Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]


Weakest preconditions1
Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

P[e/x]

new+1 = old

Assign

new=new+1

x=e

P

new = old


Weakest preconditions2
Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

c ) P

new=old ) new=old

Assume

Branch

[new=old]

[c]

P

new = old


How to compute successor
How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

: LOCK , : new = old

For each p

  • Check if p is true (or false) after OP

    Q:When is p true afterOP ?

    - If WP(p, OP) is true beforeOP !

    - We know F is true before OP

    - Thm. Pvr. Query: F) WP(p, OP)

Predicates:LOCK, new==old


How to compute successor1
How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

For each p

  • Check if p is true (or false) after OP

    Q:When is p false afterOP ?

    - If WP(: p, OP) is true beforeOP !

    - We know F is true before OP

    - Thm. Pvr. Query: F) WP(: p, OP)

Predicates:LOCK, new==old


How to compute successor2
How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

: new = old

: LOCK , : new = old

For each p

  • Check if p is true (or false) after OP

    Q:When is p false afterOP ?

    - If WP(: p, OP) is true beforeOP !

    - We know F is true before OP

    - Thm. Pvr. Query: F) WP(: p, OP)

Predicate: new==old

(LOCK , new==old) ) (new + 1 = old)

True ?

NO

False ?

(LOCK , new==old) ) (new + 1  old)

YES


Lazy abstraction1
Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:Abstraction is Expensive

Solution:1.Abstract reachable states, 2. Avoid refining error-free regions

Key Idea: Reachability Tree


Property irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property: IRP Handler

[Fahndrich]


Results

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed


Predicates grows with program size
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

T

F

T

Tracking lock not enough

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states


Predicates grows with program size1
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

LOCK, p1

: LOCK, : p1

: LOCK, : p1

: LOCK, p1

: LOCK

p1p2

p1: p2

: p1 p2

: p1: p2

2nAbstract States

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states


Predicates useful locally

LOCK , p2

: LOCK , : p2

: LOCK

Predicates useful locally

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

p1

LOCK , p1

: LOCK, : p1

: LOCK , : p1

: LOCK

: LOCK , p1

: LOCK

: LOCK

p2

pn

2n Abstract States

Solution: Use predicates only where needed

Using Counterexamples:

Q1.Find predicates

Q2.Find where predicates are needed


Lazy abstraction2
Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Ctrex.

Trace

Pred. Map

PC  Preds.

Refine


Counterexample traces
Counterexample Traces

1: x = ctr;

2: ctr = ctr + 1;

3: y = ctr;

4: if (x = i-1){

5: if (y != i){

ERROR: }

}

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

y = x +1


Trace formulas
Trace Formulas

1: x = ctr

2: ctr = ctr+1

3: y = ctr

4: assume(x=i-1)

5: assume(yi)

1: x1 = ctr0

2: ctr1 = ctr0+1

3: y1 = ctr1

4: assume(x1=i0-1)

5: assume(y1i0)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Trace

Trace Feasibility

Formula

SSA Trace

Thm: Trace is feasible, TF is satisfiable


The present state
The Present State…

Trace

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

… is all the information the

executing program hashere

State…

1. … after executing trace past (prefix)

2. … knows present values of variables

3. … makes trace future (suffix) infeasible

At pc4, which predicate on

present stateshows

infeasibility offuture ?


What predicate is needed
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0 +1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)


What predicate is needed1
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

1. … after executing trace prefix


What predicate is needed2
What Predicate is needed ?

Trace Formula (TF)

Trace

x1

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

1. … after executing trace prefix

2. … has present values of variables


What predicate is needed3
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible


What predicate is needed4
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible


Interpolant predicate
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable


Another interpretation
Another interpretation …

Trace Formula

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

After

exec

prefix

-

-

Interpolate

Can

exec

suffix

+

+

y1 = x1 + 1

Unsat = Empty Intersection = Trace Infeasible

Interpolant  =

Overapprox. states after prefix

that cannotexecute suffix


Interpolant predicate1
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable


Interpolant predicate2
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

Q. How to compute interpolants ? …

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable


Building predicate maps
Building Predicate Maps

Predicate Map

2:x= ctr

Trace

Trace Formula

-

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Interpolate

x1 = ctr0

+

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Building predicate maps1
Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr-1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

-

Interpolate

x1= ctr1-1

+

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Building predicate maps2

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= x1+1

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Building predicate maps3

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= i0

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Local predicate use
Local Predicate Use

Use predicates needed at location

  • #Preds. grows with program size

  • #Preds per location small

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Verification scales …

Local Predicate use

Ex: 2n states

Global Predicate use

Ex: 2n states


Results1

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed


Localizing

Property3:

IRP Handler

Win NT DDK

Localizing

* Pre-processed


Q. How to compute interpolants ?


Proof of unsatisfiability
Proof of Unsatisfiability

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1 = ctr0

x1 = i0 -1

ctr1= ctr0+1

ctr0 = i0-1

ctr1 = i0

y1= ctr1

y1= i0

y1 i0

;

Proof of Unsatisfiability

Trace Formula


Another proof of unsatisfiability

x1 = ctr0

x1 = i0 -1

ctr1= ctr0+1

ctr0 = i0-1

ctr1 = i0

y1= ctr1

y1= i0

y1 i0

;

Proof of Unsatisfiability

Another Proof of Unsatisfiability

£ (-1)

£ 1

x1-i0 +1=0

x1– ctr0=0

£ 1

ctr1- ctr0-1=0

ctr0-i0+1=0

£ 1

y1-ctr1=0

ctr1-i0 =0

£ 1

y1-i0 0

y1-i0=0

0 0

Rewritten Proof


Interpolant from rewritten proof
Interpolant from Rewritten Proof ?

£ (-1)

£ 1

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1-i0 +1=0

x1– ctr0=0

£ 1

ctr1- ctr0-1=0

ctr0-i0+1=0

£ 1

y1-ctr1=0

ctr1-i0 =0

Interpolate

£ 1

y1-i0 0

y1-i0=0

0 0

Rewritten Proof

Trace Formula


Interpolant from rewritten proof1
Interpolant from Rewritten Proof ?

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1– ctr0=0

£ (-1)

£ 1

ctr1- ctr0-1=0

£ 1

y1-ctr1=0

Interpolate

y1=x1+1

y1-x1-1=0

Interpolant !

Trace Formula


Lazy abstraction3
Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Refine

Trace

Feas

Formula

Proof of

Unsat

Ctrex.

Trace

Pred. Map

PC  Preds.

Thm Pvr

Interpolate


Verification by theorem proving
Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

Invariant:

lock Æ new = old

Ç

: lock Æ new  old


Verification by theorem proving1
Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

  • - Loop Invariants

  • Multithreaded Programs

  • + Behaviors encoded in logic

  • + Decision Procedures

[ESC]

Precise


Verification by program analysis
Verification by Program Analysis

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. Dataflow Facts

2. Constraint System

3. Solve constraints

- Imprecision due to fixed facts

+ Abstraction

+ Type/Flow Analyses

[CQUAL, ESP, MC]

Scalable


Verification by model checking
Verification by Model Checking

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. (Finite State) Program

2. State Transition Graph

3. Reachability

- Pgm ! Finite state model

  • State explosion

    + State Exploration

    + Counterexamples

[SPIN, SMV, Bandera,JPF ]

Precise


Combining strengths
Combining Strengths

Program Analysis

- Imprecise

+ Abstraction

Shrink state space

Theorem Proving

- loop invariants

+ Behaviors encoded in logic

Refine

+ Theorem provers

Computing Successors,Refine

Lazy

Abstraction

Model Checking

- Finite-state model, state explosion

+ State Space Exploration

Path Sensitive Analysis

+ Counterexamples

Finding Relevant Facts


Lazy abstraction main ideas
Lazy Abstraction: Main Ideas

  • Predicates:

    • Abstract infinite program states

  • Counterexample-guided Refinement:

    • Find predicates tailored to prog, property

  • Abstraction : Expensive

    Reachability Tree

  • Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation


Next lecture modular analyses
Next Lecture: Modular Analyses

Procedures

- Summaries

Concurrency

- Thread-Context Reasoning


ad