Program verification by lazy abstraction
This presentation is the property of its rightful owner.
Sponsored Links
1 / 91

Program Verification by Lazy Abstraction PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on
  • Presentation posted in: General

Program Verification by Lazy Abstraction. Lecture 1. Ranjit Jhala UC San Diego. With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre. Software Validation. Large scale reliable software is hard to build and test Different groups write different components

Download Presentation

Program Verification by Lazy Abstraction

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Program verification by lazy abstraction

Program Verification byLazy Abstraction

Lecture1

Ranjit Jhala

UC San Diego

With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre


Software validation

Software Validation

  • Large scale reliable software is hard to build and test

  • Different groups write different components

  • Integration testing is a nightmare


Property checking

Property Checking

  • Programmer gives partial specifications

  • Code checked for consistency w/ spec

  • Different from program correctness

    • Specifications are not complete

    • Is there a complete spec for Word ? Emacs ?


Interface usage rules

Interface Usage Rules

  • Rules in documentation

    • Order of operations & data access

    • Resource management

    • Incomplete, unenforced, wordy

  • Violated rules ) bad behavior

    • System crash or deadlock

    • Unexpected exceptions

    • Failed runtime checks


Property 1 double locking

lock

unlock

unlock

lock

Property 1: Double Locking

“An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.”

Calls to lock and unlock must alternate.


Property 2 drop root privilege

Property 2: Drop Root Privilege

[Chen-Dean-Wagner ’02]

“User applications must not run with root privilege”

When execv is called, must have suid  0


Property 3 irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property 3 : IRP Handler

[Fahndrich]


Does a given usage rule hold

Does a given usage rule hold?

  • Undecidable!

    • Equivalent to the halting problem

  • Restricted computable versions are

    prohibitively expensive (PSPACE)

  • Why bother ?

    • Just because a problem is undecidable,

      it doesn’t go away!


Example

lock

unlock

unlock

lock

Example

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}


What a program really is

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

What a program really is…

State

Transition

3: unlock();

new++;

4:} …

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;}


The safety verification problem

The Safety Verification Problem

Error

Safe

Initial

Is there a path from an initial to an error state ?

Problem:Infinitestate graph

Solution : Set of states ' logical formula


Representing states as formulas

Representing States asFormulas

[F]

states satisfyingF {s | s² F }

F

FO fmla over prog. vars

[F1] Å [F2]

F1ÆF2

[F1] [ [F2]

F1 ÇF2

[F]

: F

[F1] µ [F2]

F1 implies F2

i.e. F1Æ: F2 unsatisfiable


Idea 1 predicate abstraction

Idea 1: Predicate Abstraction

  • Predicates on program state:

    lock

    old = new

  • States satisfying same predicates

    are equivalent

    • Merged into one abstract state

  • #abstract states is finite


Abstract states and transitions

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstract States and Transitions

State

3: unlock();

new++;

4:} …

Theorem Prover

lock

old=new

: lock

: old=new


Abstraction

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstraction

State

3: unlock();

new++;

4:} …

Theorem Prover

lock

old=new

: lock

: old=new

Existential Lifting


Abstraction1

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstraction

State

3: unlock();

new++;

4:} …

lock

old=new

: lock

: old=new


Analyze abstraction

Analyze Abstraction

Analyze finite graph

Over Approximate:

Safe ) System Safe

No false negatives

Problem

Spurious counterexamples


Idea 2 counterex guided refinement

Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction!


Idea 2 counterex guided refinement1

Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

Imprecision due to merge


Iterative abstraction refinement

Iterative Abstraction-Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

-eliminates counterexample

3. Repeat search

Till real counterexample

or system proved safe

[Kurshan et al 93] [Clarke et al 00]

[Ball-Rajamani 01]


Lazy abstraction

Lazy Abstraction

Yes

BLAST

Safe

Abstract

CProgram

Refine

No

Property

Trace


Problem abstraction is expensive

Problem: Abstraction is Expensive

Reachable

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

Observe

Fraction of state space reachable

#Preds ~ 100’s, #States ~ 2100 ,

#Reach ~ 1000’s


Program verification by lazy abstraction

Solution1: Only Abstract Reachable States

Safe

Solution

Build abstraction during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries


Program verification by lazy abstraction

Solution2: Don’t Refine Error-Free Regions

Error

Free

Solution

Don’t refine error-free regions

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries


Key idea reachability tree

Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

5

4

3


Key idea reachability tree1

Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

5

3

3

Error Free


Key idea reachability tree2

Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE


Build and search

Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK


Build and search1

Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

1

2

Reachability Tree

Predicates:LOCK


Build and search2

Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

[q!=NULL]

3

LOCK

1

2

3

Reachability Tree

Predicates:LOCK


Build and search3

Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

4

1

2

3

Reachability Tree

Predicates:LOCK


Build and search4

Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

[new==old]

5

: LOCK

5

4

1

2

3

Reachability Tree

Predicates:LOCK


Build and search5

Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK


Analyze counterexample

Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

[q!=NULL]

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

[new==old]

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK


Analyze counterexample1

Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

old = new

2

LOCK

3

LOCK

new++

4

: LOCK

[new==old]

5

: LOCK

5

Inconsistent

4

: LOCK

new == old

1

2

3

Reachability Tree

Predicates:LOCK


Repeat build and search

Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search1

Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK , new==old

1

2

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search2

Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

q->data = new

unlock()

new++

4

: LOCK , : new = old

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search3

Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new==old]

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search4

Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new!=old]

1

: LOCK,

: new == old

4

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old


Repeat build and search5

Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old


Key idea reachability tree3

Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE


Two handwaves

Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old


Two handwaves1

Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

3

LOCK , new==old

LOCK , new==old

q->data = new

unlock()

new++

4

4

4

LOCK , new=old

: LOCK , : new = old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old


Two handwaves2

Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

Q. How to find predicates ?

1

5

5

Refinement

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Predicates:LOCK, new==old


Two handwaves3

Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

Refinement

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Predicates:LOCK, new==old


Weakest preconditions

Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]


Weakest preconditions1

Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

P[e/x]

new+1 = old

Assign

new=new+1

x=e

P

new = old


Weakest preconditions2

Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

c ) P

new=old ) new=old

Assume

Branch

[new=old]

[c]

P

new = old


How to compute successor

How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

: LOCK , : new = old

For each p

  • Check if p is true (or false) after OP

    Q:When is p true afterOP ?

    - If WP(p, OP) is true beforeOP !

    - We know F is true before OP

    - Thm. Pvr. Query: F) WP(p, OP)

Predicates:LOCK, new==old


How to compute successor1

How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

For each p

  • Check if p is true (or false) after OP

    Q:When is p false afterOP ?

    - If WP(: p, OP) is true beforeOP !

    - We know F is true before OP

    - Thm. Pvr. Query: F) WP(: p, OP)

Predicates:LOCK, new==old


How to compute successor2

How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

: new = old

: LOCK , : new = old

For each p

  • Check if p is true (or false) after OP

    Q:When is p false afterOP ?

    - If WP(: p, OP) is true beforeOP !

    - We know F is true before OP

    - Thm. Pvr. Query: F) WP(: p, OP)

Predicate: new==old

(LOCK , new==old) ) (new + 1 = old)

True ?

NO

False ?

(LOCK , new==old) ) (new + 1  old)

YES


Lazy abstraction1

Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:Abstraction is Expensive

Solution:1.Abstract reachable states, 2. Avoid refining error-free regions

Key Idea: Reachability Tree


Property irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property: IRP Handler

[Fahndrich]


Results

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed


Predicates grows with program size

#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

T

F

T

Tracking lock not enough

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states


Predicates grows with program size1

#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

LOCK, p1

: LOCK, : p1

: LOCK, : p1

: LOCK, p1

: LOCK

p1p2

p1: p2

: p1 p2

: p1: p2

2nAbstract States

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states


Predicates useful locally

LOCK , p2

: LOCK , : p2

: LOCK

Predicates useful locally

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

p1

LOCK , p1

: LOCK, : p1

: LOCK , : p1

: LOCK

: LOCK , p1

: LOCK

: LOCK

p2

pn

2n Abstract States

Solution: Use predicates only where needed

Using Counterexamples:

Q1.Find predicates

Q2.Find where predicates are needed


Lazy abstraction2

Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Ctrex.

Trace

Pred. Map

PC  Preds.

Refine


Counterexample traces

Counterexample Traces

1: x = ctr;

2: ctr = ctr + 1;

3: y = ctr;

4: if (x = i-1){

5: if (y != i){

ERROR: }

}

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

y = x +1


Trace formulas

Trace Formulas

1: x = ctr

2: ctr = ctr+1

3: y = ctr

4: assume(x=i-1)

5: assume(yi)

1: x1 = ctr0

2: ctr1 = ctr0+1

3: y1 = ctr1

4: assume(x1=i0-1)

5: assume(y1i0)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Trace

Trace Feasibility

Formula

SSA Trace

Thm: Trace is feasible, TF is satisfiable


The present state

The Present State…

Trace

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

… is all the information the

executing program hashere

State…

1. … after executing trace past (prefix)

2. … knows present values of variables

3. … makes trace future (suffix) infeasible

At pc4, which predicate on

present stateshows

infeasibility offuture ?


What predicate is needed

What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0 +1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)


What predicate is needed1

What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

1. … after executing trace prefix


What predicate is needed2

What Predicate is needed ?

Trace Formula (TF)

Trace

x1

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

1. … after executing trace prefix

2. … has present values of variables


What predicate is needed3

What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible


What predicate is needed4

What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible


Interpolant predicate

Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable


Another interpretation

Another interpretation …

Trace Formula

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

After

exec

prefix

-

-

Interpolate

Can

exec

suffix

+

+

y1 = x1 + 1

Unsat = Empty Intersection = Trace Infeasible

Interpolant  =

Overapprox. states after prefix

that cannotexecute suffix


Interpolant predicate1

Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable


Interpolant predicate2

Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

Q. How to compute interpolants ? …

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable


Building predicate maps

Building Predicate Maps

Predicate Map

2:x= ctr

Trace

Trace Formula

-

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Interpolate

x1 = ctr0

+

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Building predicate maps1

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr-1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

-

Interpolate

x1= ctr1-1

+

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Building predicate maps2

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= x1+1

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Building predicate maps3

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= i0

  • Cut + Interpolate at each point

  • Pred. Map: pci Interpolant from cut i


Local predicate use

Local Predicate Use

Use predicates needed at location

  • #Preds. grows with program size

  • #Preds per location small

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Verification scales …

Local Predicate use

Ex: 2n states

Global Predicate use

Ex: 2n states


Results1

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed


Localizing

Property3:

IRP Handler

Win NT DDK

Localizing

* Pre-processed


Program verification by lazy abstraction

Q. How to compute interpolants ?


Proof of unsatisfiability

Proof of Unsatisfiability

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1 = ctr0

x1 = i0 -1

ctr1= ctr0+1

ctr0 = i0-1

ctr1 = i0

y1= ctr1

y1= i0

y1 i0

;

Proof of Unsatisfiability

Trace Formula


Another proof of unsatisfiability

x1 = ctr0

x1 = i0 -1

ctr1= ctr0+1

ctr0 = i0-1

ctr1 = i0

y1= ctr1

y1= i0

y1 i0

;

Proof of Unsatisfiability

Another Proof of Unsatisfiability

£ (-1)

£ 1

x1-i0 +1=0

x1– ctr0=0

£ 1

ctr1- ctr0-1=0

ctr0-i0+1=0

£ 1

y1-ctr1=0

ctr1-i0 =0

£ 1

y1-i0 0

y1-i0=0

0 0

Rewritten Proof


Interpolant from rewritten proof

Interpolant from Rewritten Proof ?

£ (-1)

£ 1

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1-i0 +1=0

x1– ctr0=0

£ 1

ctr1- ctr0-1=0

ctr0-i0+1=0

£ 1

y1-ctr1=0

ctr1-i0 =0

Interpolate

£ 1

y1-i0 0

y1-i0=0

0 0

Rewritten Proof

Trace Formula


Interpolant from rewritten proof1

Interpolant from Rewritten Proof ?

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1– ctr0=0

£ (-1)

£ 1

ctr1- ctr0-1=0

£ 1

y1-ctr1=0

Interpolate

y1=x1+1

y1-x1-1=0

Interpolant !

Trace Formula


Lazy abstraction3

Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Refine

Trace

Feas

Formula

Proof of

Unsat

Ctrex.

Trace

Pred. Map

PC  Preds.

Thm Pvr

Interpolate


Verification by theorem proving

Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

Invariant:

lock Æ new = old

Ç

: lock Æ new  old


Verification by theorem proving1

Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

  • - Loop Invariants

  • Multithreaded Programs

  • + Behaviors encoded in logic

  • + Decision Procedures

[ESC]

Precise


Verification by program analysis

Verification by Program Analysis

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. Dataflow Facts

2. Constraint System

3. Solve constraints

- Imprecision due to fixed facts

+ Abstraction

+ Type/Flow Analyses

[CQUAL, ESP, MC]

Scalable


Verification by model checking

Verification by Model Checking

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. (Finite State) Program

2. State Transition Graph

3. Reachability

- Pgm ! Finite state model

  • State explosion

    + State Exploration

    + Counterexamples

[SPIN, SMV, Bandera,JPF ]

Precise


Combining strengths

Combining Strengths

Program Analysis

- Imprecise

+ Abstraction

Shrink state space

Theorem Proving

- loop invariants

+ Behaviors encoded in logic

Refine

+ Theorem provers

Computing Successors,Refine

Lazy

Abstraction

Model Checking

- Finite-state model, state explosion

+ State Space Exploration

Path Sensitive Analysis

+ Counterexamples

Finding Relevant Facts


Lazy abstraction main ideas

Lazy Abstraction: Main Ideas

  • Predicates:

    • Abstract infinite program states

  • Counterexample-guided Refinement:

    • Find predicates tailored to prog, property

  • Abstraction : Expensive

    Reachability Tree

  • Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation


Next lecture modular analyses

Next Lecture: Modular Analyses

Procedures

- Summaries

Concurrency

- Thread-Context Reasoning


  • Login