program verification by lazy abstraction
Download
Skip this Video
Download Presentation
Program Verification by Lazy Abstraction

Loading in 2 Seconds...

play fullscreen
1 / 91

Program Verification by Lazy Abstraction - PowerPoint PPT Presentation


  • 178 Views
  • Uploaded on

Program Verification by Lazy Abstraction. Lecture 1. Ranjit Jhala UC San Diego. With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre. Software Validation. Large scale reliable software is hard to build and test Different groups write different components

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Program Verification by Lazy Abstraction' - kimo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
program verification by lazy abstraction

Program Verification byLazy Abstraction

Lecture1

Ranjit Jhala

UC San Diego

With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre

software validation
Software Validation
  • Large scale reliable software is hard to build and test
  • Different groups write different components
  • Integration testing is a nightmare
property checking
Property Checking
  • Programmer gives partial specifications
  • Code checked for consistency w/ spec
  • Different from program correctness
    • Specifications are not complete
    • Is there a complete spec for Word ? Emacs ?
interface usage rules
Interface Usage Rules
  • Rules in documentation
    • Order of operations & data access
    • Resource management
    • Incomplete, unenforced, wordy
  • Violated rules ) bad behavior
    • System crash or deadlock
    • Unexpected exceptions
    • Failed runtime checks
property 1 double locking

lock

unlock

unlock

lock

Property 1: Double Locking

“An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.”

Calls to lock and unlock must alternate.

property 2 drop root privilege
Property 2: Drop Root Privilege

[Chen-Dean-Wagner ’02]

“User applications must not run with root privilege”

When execv is called, must have suid  0

property 3 irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property 3 : IRP Handler

[Fahndrich]

does a given usage rule hold
Does a given usage rule hold?
  • Undecidable!
    • Equivalent to the halting problem
  • Restricted computable versions are

prohibitively expensive (PSPACE)

  • Why bother ?
    • Just because a problem is undecidable,

it doesn’t go away!

example

lock

unlock

unlock

lock

Example

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

what a program really is

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

What a program really is…

State

Transition

3: unlock();

new++;

4:} …

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;}

the safety verification problem
The Safety Verification Problem

Error

Safe

Initial

Is there a path from an initial to an error state ?

Problem:Infinitestate graph

Solution : Set of states \' logical formula

representing states as formulas
Representing States asFormulas

[F]

states satisfyingF {s | s² F }

F

FO fmla over prog. vars

[F1] Å [F2]

F1ÆF2

[F1] [ [F2]

F1 ÇF2

[F]

: F

[F1] µ [F2]

F1 implies F2

i.e. F1Æ: F2 unsatisfiable

idea 1 predicate abstraction
Idea 1: Predicate Abstraction
  • Predicates on program state:

lock

old = new

  • States satisfying same predicates

are equivalent

    • Merged into one abstract state
  • #abstract states is finite
abstract states and transitions

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstract States and Transitions

State

3: unlock();

new++;

4:} …

Theorem Prover

lock

old=new

: lock

: old=new

abstraction

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstraction

State

3: unlock();

new++;

4:} …

Theorem Prover

lock

old=new

: lock

: old=new

Existential Lifting

abstraction1

pc

lock

old

new

q

 3

 5

 5

 0x133a

pc

lock

old

new

q

 4

 5

 6

 0x133a

Abstraction

State

3: unlock();

new++;

4:} …

lock

old=new

: lock

: old=new

analyze abstraction
Analyze Abstraction

Analyze finite graph

Over Approximate:

Safe ) System Safe

No false negatives

Problem

Spurious counterexamples

idea 2 counterex guided refinement
Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction!

idea 2 counterex guided refinement1
Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

Imprecision due to merge

iterative abstraction refinement
Iterative Abstraction-Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

-eliminates counterexample

3. Repeat search

Till real counterexample

or system proved safe

[Kurshan et al 93] [Clarke et al 00]

[Ball-Rajamani 01]

lazy abstraction
Lazy Abstraction

Yes

BLAST

Safe

Abstract

CProgram

Refine

No

Property

Trace

problem abstraction is expensive
Problem: Abstraction is Expensive

Reachable

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

Observe

Fraction of state space reachable

#Preds ~ 100’s, #States ~ 2100 ,

#Reach ~ 1000’s

slide23

Solution1: Only Abstract Reachable States

Safe

Solution

Build abstraction during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

slide24

Solution2: Don’t Refine Error-Free Regions

Error

Free

Solution

Don’t refine error-free regions

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

key idea reachability tree
Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

5

4

3

key idea reachability tree1
Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

5

3

3

Error Free

key idea reachability tree2
Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE

build and search
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK

build and search1
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

1

2

Reachability Tree

Predicates:LOCK

build and search2
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

[q!=NULL]

3

LOCK

1

2

3

Reachability Tree

Predicates:LOCK

build and search3
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

4

1

2

3

Reachability Tree

Predicates:LOCK

build and search4
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

[new==old]

5

: LOCK

5

4

1

2

3

Reachability Tree

Predicates:LOCK

build and search5
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK

analyze counterexample
Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

[q!=NULL]

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

[new==old]

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK

analyze counterexample1
Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

old = new

2

LOCK

3

LOCK

new++

4

: LOCK

[new==old]

5

: LOCK

5

Inconsistent

4

: LOCK

new == old

1

2

3

Reachability Tree

Predicates:LOCK

repeat build and search
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK, new==old

repeat build and search1
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK , new==old

1

2

Reachability Tree

Predicates:LOCK, new==old

repeat build and search2
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

q->data = new

unlock()

new++

4

: LOCK , : new = old

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old

repeat build and search3
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new==old]

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old

repeat build and search4
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new!=old]

1

: LOCK,

: new == old

4

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old

repeat build and search5
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old

key idea reachability tree3
Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE

two handwaves
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old

two handwaves1
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

3

LOCK , new==old

LOCK , new==old

q->data = new

unlock()

new++

4

4

4

LOCK , new=old

: LOCK , : new = old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old

two handwaves2
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

Q. How to find predicates ?

1

5

5

Refinement

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Predicates:LOCK, new==old

two handwaves3
Two handwaves

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

Q. How to compute “successors” ?

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

Refinement

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Predicates:LOCK, new==old

weakest preconditions
Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

weakest preconditions1
Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

P[e/x]

new+1 = old

Assign

new=new+1

x=e

P

new = old

weakest preconditions2
Weakest Preconditions

WP(P,OP)

Weakest formula P’ s.t.

if P’ is true beforeOP

then P is true afterOP

[WP(P, OP)]

OP

[P]

c ) P

new=old ) new=old

Assume

Branch

[new=old]

[c]

P

new = old

how to compute successor
How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

: LOCK , : new = old

For each p

  • Check if p is true (or false) after OP

Q:When is p true afterOP ?

- If WP(p, OP) is true beforeOP !

- We know F is true before OP

- Thm. Pvr. Query: F) WP(p, OP)

Predicates:LOCK, new==old

how to compute successor1
How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

For each p

  • Check if p is true (or false) after OP

Q:When is p false afterOP ?

- If WP(: p, OP) is true beforeOP !

- We know F is true before OP

- Thm. Pvr. Query: F) WP(: p, OP)

Predicates:LOCK, new==old

how to compute successor2
How to compute successor ?

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

3

F

LOCK , new==old

OP

?

4

: new = old

: LOCK , : new = old

For each p

  • Check if p is true (or false) after OP

Q:When is p false afterOP ?

- If WP(: p, OP) is true beforeOP !

- We know F is true before OP

- Thm. Pvr. Query: F) WP(: p, OP)

Predicate: new==old

(LOCK , new==old) ) (new + 1 = old)

True ?

NO

False ?

(LOCK , new==old) ) (new + 1  old)

YES

lazy abstraction1
Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:Abstraction is Expensive

Solution:1.Abstract reachable states, 2. Avoid refining error-free regions

Key Idea: Reachability Tree

property irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property: IRP Handler

[Fahndrich]

results

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed

predicates grows with program size
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

T

F

T

Tracking lock not enough

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states

predicates grows with program size1
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

LOCK, p1

: LOCK, : p1

: LOCK, : p1

: LOCK, p1

: LOCK

p1p2

p1: p2

: p1 p2

: p1: p2

2nAbstract States

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states

predicates useful locally

LOCK , p2

: LOCK , : p2

: LOCK

Predicates useful locally

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

p1

LOCK , p1

: LOCK, : p1

: LOCK , : p1

: LOCK

: LOCK , p1

: LOCK

: LOCK

p2

pn

2n Abstract States

Solution: Use predicates only where needed

Using Counterexamples:

Q1.Find predicates

Q2.Find where predicates are needed

lazy abstraction2
Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Ctrex.

Trace

Pred. Map

PC  Preds.

Refine

counterexample traces
Counterexample Traces

1: x = ctr;

2: ctr = ctr + 1;

3: y = ctr;

4: if (x = i-1){

5: if (y != i){

ERROR: }

}

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

y = x +1

trace formulas
Trace Formulas

1: x = ctr

2: ctr = ctr+1

3: y = ctr

4: assume(x=i-1)

5: assume(yi)

1: x1 = ctr0

2: ctr1 = ctr0+1

3: y1 = ctr1

4: assume(x1=i0-1)

5: assume(y1i0)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Trace

Trace Feasibility

Formula

SSA Trace

Thm: Trace is feasible, TF is satisfiable

the present state
The Present State…

Trace

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

… is all the information the

executing program hashere

State…

1. … after executing trace past (prefix)

2. … knows present values of variables

3. … makes trace future (suffix) infeasible

At pc4, which predicate on

present stateshows

infeasibility offuture ?

what predicate is needed
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0 +1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

what predicate is needed1
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

1. … after executing trace prefix

what predicate is needed2
What Predicate is needed ?

Trace Formula (TF)

Trace

x1

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

1. … after executing trace prefix

2. … has present values of variables

what predicate is needed3
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible

what predicate is needed4
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible

interpolant predicate
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

another interpretation
Another interpretation …

Trace Formula

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

After

exec

prefix

-

-

Interpolate

Can

exec

suffix

+

+

y1 = x1 + 1

Unsat = Empty Intersection = Trace Infeasible

Interpolant  =

Overapprox. states after prefix

that cannotexecute suffix

interpolant predicate1
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

interpolant predicate2
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

Q. How to compute interpolants ? …

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Computable from

Proof of Unsat

[Krajicek 97] [Pudlak 97]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

building predicate maps
Building Predicate Maps

Predicate Map

2:x= ctr

Trace

Trace Formula

-

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Interpolate

x1 = ctr0

+

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
building predicate maps1
Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr-1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

-

Interpolate

x1= ctr1-1

+

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
building predicate maps2

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= x1+1

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
building predicate maps3

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0+ 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= i0

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
local predicate use
Local Predicate Use

Use predicates needed at location

  • #Preds. grows with program size
  • #Preds per location small

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Verification scales …

Local Predicate use

Ex: 2n states

Global Predicate use

Ex: 2n states

results1

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed

localizing

Property3:

IRP Handler

Win NT DDK

Localizing

* Pre-processed

proof of unsatisfiability
Proof of Unsatisfiability

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1 = ctr0

x1 = i0 -1

ctr1= ctr0+1

ctr0 = i0-1

ctr1 = i0

y1= ctr1

y1= i0

y1 i0

;

Proof of Unsatisfiability

Trace Formula

another proof of unsatisfiability

x1 = ctr0

x1 = i0 -1

ctr1= ctr0+1

ctr0 = i0-1

ctr1 = i0

y1= ctr1

y1= i0

y1 i0

;

Proof of Unsatisfiability

Another Proof of Unsatisfiability

£ (-1)

£ 1

x1-i0 +1=0

x1– ctr0=0

£ 1

ctr1- ctr0-1=0

ctr0-i0+1=0

£ 1

y1-ctr1=0

ctr1-i0 =0

£ 1

y1-i0 0

y1-i0=0

0 0

Rewritten Proof

interpolant from rewritten proof
Interpolant from Rewritten Proof ?

£ (-1)

£ 1

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1-i0 +1=0

x1– ctr0=0

£ 1

ctr1- ctr0-1=0

ctr0-i0+1=0

£ 1

y1-ctr1=0

ctr1-i0 =0

Interpolate

£ 1

y1-i0 0

y1-i0=0

0 0

Rewritten Proof

Trace Formula

interpolant from rewritten proof1
Interpolant from Rewritten Proof ?

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

x1– ctr0=0

£ (-1)

£ 1

ctr1- ctr0-1=0

£ 1

y1-ctr1=0

Interpolate

y1=x1+1

y1-x1-1=0

Interpolant !

Trace Formula

lazy abstraction3
Lazy Abstraction

Yes

Safe

Abstract

CProgram

Refine

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Refine

Trace

Feas

Formula

Proof of

Unsat

Ctrex.

Trace

Pred. Map

PC  Preds.

Thm Pvr

Interpolate

verification by theorem proving
Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

Invariant:

lock Æ new = old

Ç

: lock Æ new  old

verification by theorem proving1
Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

  • - Loop Invariants
  • Multithreaded Programs
  • + Behaviors encoded in logic
  • + Decision Procedures

[ESC]

Precise

verification by program analysis
Verification by Program Analysis

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. Dataflow Facts

2. Constraint System

3. Solve constraints

- Imprecision due to fixed facts

+ Abstraction

+ Type/Flow Analyses

[CQUAL, ESP, MC]

Scalable

verification by model checking
Verification by Model Checking

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. (Finite State) Program

2. State Transition Graph

3. Reachability

- Pgm ! Finite state model

  • State explosion

+ State Exploration

+ Counterexamples

[SPIN, SMV, Bandera,JPF ]

Precise

combining strengths
Combining Strengths

Program Analysis

- Imprecise

+ Abstraction

Shrink state space

Theorem Proving

- loop invariants

+ Behaviors encoded in logic

Refine

+ Theorem provers

Computing Successors,Refine

Lazy

Abstraction

Model Checking

- Finite-state model, state explosion

+ State Space Exploration

Path Sensitive Analysis

+ Counterexamples

Finding Relevant Facts

lazy abstraction main ideas
Lazy Abstraction: Main Ideas
  • Predicates:
    • Abstract infinite program states
  • Counterexample-guided Refinement:
    • Find predicates tailored to prog, property
  • Abstraction : Expensive

Reachability Tree

  • Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation
next lecture modular analyses
Next Lecture: Modular Analyses

Procedures

- Summaries

Concurrency

- Thread-Context Reasoning

ad