1 / 43

Spacer : Abstractions from Proofs and Counterexamples

Spacer : Abstractions from Proofs and Counterexamples. Anvesh Komuravelli Carnegie Mellon University. Joint work with Arie Gurfinkel , Sagar Chaki and Edmund Clarke. Safety Verification. Safe. + Proof. Automatic analysis for assertion failures. Program P + Assertions. Unsafe.

chaim
Download Presentation

Spacer : Abstractions from Proofs and Counterexamples

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spacer : Abstractions fromProofs and Counterexamples AnveshKomuravelli Carnegie Mellon University Joint work with ArieGurfinkel, SagarChaki and Edmund Clarke

  2. Safety Verification Safe + Proof Automatic analysis for assertion failures Program P + Assertions Unsafe + Counterexample Is it empty? Unknown + Partial Proof error(P) reach(P) Software Model Checking

  3. Over-approximation Driven (OD) error(P) reach(P)

  4. Over-approximation Driven (OD) error(P) reach(P)

  5. Over-approximation Driven (OD)

  6. Under-approximation Driven (UD) reach(P) error(P)

  7. Under-approximation Driven (UD) error(P) reach(P)

  8. Under-approximation Driven (UD)

  9. Key Recent Advancements

  10. But… μZ (SMT-Based Model Checker, part of Z3) Cannot solve in an hour x = y = z = w = 0; while (*) { if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) Solves an abstraction in < 1 sec. t = *; How to find abstractions automatically? Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.

  11. Our Strategy error(P) reach(P) Under-approx.  Abstract  Under-approx.

  12. Our Strategy error(P) reach(P) Under-approx.  Abstract  Under-approx.  Refine

  13. Our Strategy error(P) reach(P) Under-approx.  Abstract  Under-approx.  Refine  Abstract

  14. Our Strategy error(P) reach(P) And so on …

  15. Our Strategy reach(P) is covered error(P) reach(P) Abstractions guide the SMT solver to look for general proofs

  16. It’s based on UD Under-approximations … … A b s t r a c t … …

  17. It’s based on UD Under-approximations … need not be monotonic … A b s t r a c t … …

  18. Spacer is based on UD Under-approximations … non-trivial abstraction … A b s t r a c t … …

  19. Spacer Program Abstract Under-Approximate Refine Proof-Based Abstraction CEGAR No No Check Safety Feasible? Feasible? Safety Proof Counterexample Yes Yes

  20. Schematic Example init_stmt; c = 0; while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k1); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; } assert (safe); Loop Invariants Add Counters Under-approximate  Solve

  21. Schematic Example Treat as guessed unbounded invariants. Essentially like Houdini [FL’01]. init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k1); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe); Specific to under-approx. [FL’01] Houdini, an annotation assistant for ESC/Java, C. Flanagan and K.R.M. Leino, 2001 Extract Unbounded Invariants Unbounded! Strengthen with Invariants Under-approximate Feasible?   Solve

  22. Schematic Example init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe); Does not prove the assertion Under-approximate Feasible? NO   Solve

  23. Schematic Example init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k1); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe); Redundant for the proof Under-approximate Feasible? NO Abstract    Solve

  24. Schematic Example init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_1, invar_2 // invar_3, invar_4 assume (c < k1); if (*) { v1 = e1; v2 = *; } else { v3 = e3; v4 = *; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); Proof-Based Abstraction Under-approximate Feasible? NO Abstract    Solve

  25. Schematic Example init_stmt; c = 0; assume (invar_1, invar_2); while (*) { assume (c < k2); if (*) { v1 = e1; v2 = *; } else { v3 = e3; v4 = *; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); k2 > k1 Abstract Counterexample! Concretize Concrete control path is infeasible Under-approximate Feasible? NO Refine    Solve

  26. Schematic Example init_stmt; c = 0; assume (invar_1, invar_2); while (*) { assume (c < k2); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); CEGAR Under-approximate Feasible? NO Refine    Solve

  27. Schematic Example init_stmt; c = 0; assume (invar_1, invar_2); while (*) { // invar_5 // invar_6 assume (c < k2); if (*) { v1 = e1; v2 = e2; } else { v3 = e3; v4 = e4; } v5 = e5; v6 = *; c += 1; assume (invar_1, invar_2); } assert (safe); Unbounded Invariants Under-approximate Feasible? YES   Solve

  28. Spacer Program Abstract Under-Approximate Refine Proof-Based Abstraction CEGAR No No Check Safety Feasible? Feasible? Safety Proof Counterexample Yes Yes

  29. Spacer Tool Program Abstract Under-Approximate Refine Proof-Based Abstraction CEGAR No No Check Safety Feasible? Feasible? Safety Proof Counterexample Yes Yes μZ Horn-Clause Solver (part of Z3)

  30. Spacer Tool Program Horn-Clause Encoding Abstract Under-Approximate Refine Proof-Based Abstraction CEGAR No No Check Safety Feasible? Feasible? Safety Proof Counterexample Yes Yes μZ Horn-Clause Solver (part of Z3)

  31. Spacer Tool C Program Preprocessing UFO Frontend (based on LLVM) Simplification, Large Block Encoding, etc. Horn Clause Encoding Implemented using UFO Frontend

  32. Results on SV-COMP’13 Benchmarks

  33. Results on SV-COMP’13 Benchmarks < 5 min. Mixed Results

  34. Results on SV-COMP’13 Benchmarks Advantage!

  35. Results on SV-COMP’13 Benchmarks Advantage! Time-out Mem-out

  36. Initial Example μZ (SMT-Based Model Checker, part of Z3) Cannot solve in an hour x = y = z = w = 0; while (*) { if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) Solves an abstraction in < 1 sec. t = *; Spacer (our tool) Finds a proof in a min. Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.

  37. Conclusion Focused Proofs • Abstractions guide the SMT solver to look for certain kind of proofs • Avoid proofs specific to an under-approximation How to obtain abstractions? • From proofs of under-approximations! (Proof-Based Abstraction) • Hope: What’s sufficient for the under-approximation is sufficient in general • Downside: If abstraction is too coarse, need to refine (CEGAR) For more details: Read our CAV’13 paper!

  38. Ongoing work init_stmt; c = 0; assume (invar_1, invar_2); while (*) { if (*) { v1 = e1; v2 = *; } else { v3 = e3; v4 = *; } v5 = e5; v6 = e6; c += 1; assume (invar_1, invar_2); } assert (safe); Syntactic Abstraction Semantic Abstraction

  39. Ongoing work – Handling Procedures Semantic Abstractions  Procedure Summaries / Hoare-Triples Syntactic Abstractions  Abstracting a procedure’s body Obtain a modular proof of safety

  40. Ongoing work – Quantified Invariants(Joint work with Ken McMillan) i := 0; while (i < n) { // a[i] := c; i++; } assume (0 ≤ k < n) assert (a[k] = c)

  41. Ongoing work – Quantified Invariants(Joint work with Ken McMillan) Abstraction

  42. Ongoing work – Quantified Invariants(Joint work with Ken McMillan) Reduces to quantifier-free invariantgeneration (use an off-the-shelf model checker)

  43. Questions?

More Related