 Download Presentation Software Model Checking: on the power of refinement Software Model Checking: on the power of refinement - PowerPoint PPT Presentation

Download Presentation Software Model Checking: on the power of refinement
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

1. Software Model Checking:on the power of refinement Thomas Ball Testing, Verification and Measurement Microsoft Research

2. Predicate Abstraction • Where do predicates come from? • Choice of predicates critical • precision of abstraction • efficiency • No criteria for guiding design of predicate generation/refinement algorithms • until now, “rule out spurious counterexamples”

3. Termination of SLAM • [Cousot-Cousot, PLILP’92] • widening + abstract interpretation with infinite lattices (WAIL) is more powerful than a (single) finite abstraction • [Ball-Podelski-Rajamani, TACAS’02] • finite abstractions plus iterative refinement (FAIR) is more powerful than WAIL • Namjoshi/Kurshan, Henzinger/Majumdar • if there is a finite (bi-)simulation quotient then WAIL with no widening will terminate [and therefore so will FAIR]

4. Termination and Widening • Widening is used to achieve termination by enlarging the set of states (to reach a fixpoint) • 5  x  10 widened to 5  x • Of course, widening may lose precision • Every fixpoint algorithm that loses precision (in order to terminate) applies widening

5. Relative Completeness • WAIL • widening + abstract intepretation over infinite lattice • FAIR • Finite abstraction + iterative refinement • FAIR terminates with success if • there is an “widening oracle” such that WAIL terminates with success

6. Fixpoint Fixpoint + Widening(WAIL) X := init; while X  S do X’ := X  F(X) ifX’  X then break i := oracle’s guess X := W(i, X’) od return X  S X := init; while X  S do X’ := X  F(X) ifX’  X then break X := X’ od return X  S

7. F F F F F F F F W W W F W F W F F Search Space of Widenings

8. Finite Abstraction + Iterative Refinement • If WAIL succeeds in N iterations then FAIR will succeed in N iterations • But, FAIR can succeed earlier, due to use of interior (abstract) fixpoint X := init; while truedo P := atoms(X); X# := lfp(F#P, init) ifX# S then break X := X  F(X) od return X# S

9. F F F F F F F F F F W W W F F W F F W F F F Search Space WAIL+oracle FAIR

10. Outline • Preliminaries • WAIL and FAIR methods • Theorem • Discussion • Related Work

11. Guarded Command Language • Variables X = {x1, …, xn } • Guarded command c • c  g  x1’=e1 …  xn’=en also written as • c  g  x1:=e1, … xn:=en for true updates • Program is a set of guarded commands • each command is deterministic • set of commands may be non-deterministic

12. Example L1 : x = 0; L2: while ( x >= 0) { x = x + 1; } L3: if (y == 25) { L4: if ( y != 25) { L5: while ( z != 0) { z = z-1; } ERROR: } } guarded commands: c1: pc = L1  pc := L2; x := 0 c2: pc = L2  x ≥ 0  x := x + 1 c3: pc = L2  x < 0  pc := L3 c4: pc = L3  y = 25  pc := L4 c5: pc = L4  y ≠ 25  pc := L5 c6: pc = L5  z ≠ 0  z := z -1 c8: pc = L5  z=0  pc := ERROR

13. Symbolic Representation of States   iI jJ(i)ij ij : atomic formula such as (x<5) ’   ’ 

14. pre/post ofc  g  x1’=e1 …  xn’=en • prec() g [e1,…en/ x1,…xn] • postc() (X.(  c))[X/X’] • pre() cC prec() • post() cC postc()

15. unreachable reachable States Reachability unsafe unsafe init

16. unsafe  post() init Safe Forward Invariants •  is a safe forward invariant if • init  • post()   •   safe

17. Example L1: i:=0; L2: while(i|N|) { L3: i:=i+1; } L4: assert(i>0); L5 • A safe inductive invariant  (pc=L1)  (pc=L2  i=0)  (pc=L3  i0)  (pc=L2  i>0)  (pc=L4  i>0)  (pc=L5) init  (pc=L1) safe  (pc=L4)  (i>0) post() (pc=L2  i=0)  (pc=L3  i=0  i|N|)  (pc=L2  i1)  (pc=L3  i>0  i|N|)  (pc=L4  i>0  i>|N|)  (pc=L5  i>0)  (pc=L5)

18. unsafe pre()  init Safe Backward Invariants •  is a safe backward invariant if • unsafe  • pre()   •   noninit

19. Neutral notation •  is a safe <F,start,bound>-invariant if • start • F()   •   bound • <F,start,bound> • <post,init,safe> • <pre,unsafe,noninit>

20. F# via Predicate Abstraction • A set P of predicates over a program’s state space defines an abstraction of the program • P = { (a=1), (b=1), (a>0) } • Uninterpreted atoms [a=1][b=1][a>0] • If P has n predicates, the abstract domain contains exactly 22n elements • an abstract state = conjunction () of atoms • a set of abstract states = disjunction () of abstract states

21. [a=1] P [a>0] Abstract Ordering P(read “syntactic implication”) iIci PkKck  for all iI, exists kK: atoms(ci)  atoms(ck) [a=1][b=1] P [a=1] [a=1][b=1] P [a=1][a>0] [a=1][a>0] P [a=1]

22. true false Free Lattice of DNF over {a,b} a  b  (ab) a  b a  (ab) b  (ab) Logical Implication a b (ab) 

23. F#PPF  •  the identity function • P() the least ’ (by P) such that    ’ • Example: • P = { (x<2), (x<3), (x=0) } •  P( x=1 ) = (x<2)  (x<3)

24. Agenda • Two procedures for computing safe invariants • WAIL • FAIR • Is FAIR as powerful as WAIL?

25. AIL n:= 0;  := start; old := false; loop if (  old) then if ( bound) then return “success” else return “don’t know” else old :=   :=   F() forever

26. Widening • widen() = ’ such that   ’ • We consider widening that simply drops terms from some conjuncts widen(iI jJ(i)ij ) = iI jJ’(i)ij where J’(i)  J(i) • Results can be extended to other classes of widenings

27. WAIL n:= 0;  := start; old := false; loop if (  old) then if ( bound) then return “success” else return “Don’t know” else old :=  i := guess provided by oracle  := widen(i,   F() ) forever

28. FAIR n := 0;  := start loop Pn := atoms() construct F#n, as defined by Pn  := lfp(F#n, start) if (bound) then return “success”  := F( ); n := n + 1; forever

29. FAIR WAIL n := 0;  := start loop Pn := atoms() construct F#n, as defined by Pn  := lfp(F#n, start) if (bound) then return “success”  := F( ); n := n + 1; forever n:= 0;  := start; old := false; loop if (  old) then if ( bound) then return “success” else return “Don’t know” else old :=  i := guess provided by oracle  := widen(i,   F() ) forever Theorem: Suppose <F,start,bound> = <pre,unsafe,noninit> Then, for any program P, if Method 2 terminates with success for some sequence of widening choices, then Method 1 will terminate with success as well.

30. Lemma 1: If a safe invariant  can be expressed in terms of predicates in P then lfp(F#P, start) is a safe invariant • Lemma 2: For any guarded command c, prec(  ’) = prec()  prec(’) prec( ’) = prec()  prec(’) • Corollary: For any guarded command c, atoms(prec(  ’)) = atoms(prec())  atoms(prec(’)) atoms(prec(  ’)) = atoms(prec())  atoms(prec(’))

31. Proof of Theorem ’0 = start ’n+1 = widen(’npre(’n)) 0 = start n+1 = npre(n) for all i, atoms(i)  atoms(’i) by induction on i and Lemma 2 if ’i is a safe inv. then by Lemma 1 and above result lfp(F#atoms(i), start) is a safe inv.

32. L1 : x = 0; L2: while ( x >= 0) { x = x + 1; } L3: if (y == 25) { L4: if ( y != 25) { L5: while ( z != 0) { z = z-1; } ERROR: } } init: (pc = L1) unsafe: (pc = ERROR) guarded commands: c1: pc = L1  pc := L2; x := 0 c2: pc = L2  x ≥ 0  x := x + 1 c3: pc = L2  x < 0  pc := L3 c4: pc = L3  y = 25  pc := L4 c5: pc = L4  y ≠ 25  pc := L5 c6: pc = L5  z ≠ 0  z := z -1 c8: pc = L5  z=0  pc := ERROR Fact 1 : Both naïve forward and naïve backward reachability don’t terminate Fact 2: WAIL can terminate going forward FAIR cannot terminate going forward

33. L1 : x = 0; L2: while ( x >= 0) { x = x + 1; } L3: if (y == 25) { L4: if ( y != 25) { L5: while ( z != 0) { z = z-1; } ERROR: } } init: (pc = L1) unsafe: (pc = ERROR) guarded commands: c1: pc = L1  pc := L2; x := 0 c2: pc = L2  x ≥ 0  x := x + 1 c3: pc = L2  x < 0  pc := L3 c4: pc = L3  y = 25  pc := L4 c5: pc = L4  y ≠ 25  pc := L5 c6: pc = L5  z ≠ 0  z := z -1 c8: pc = L5  z=0  pc := ERROR Fact 3: Both methods terminate going backward!

34. Asymmetry between forward and backward • guarded command notation is asymmetric • satisfiability of formulas resulting from post requires existential quantifier elimination • pre can be done “syntactically” without doing any satisfiability check (in fact this is necessary)

35. Observations • Results hold for forward abstract fixpoint + “dual” backward refinement • Results generalize for negation • BDDs implement operations in the free lattice • Converse of theorem does not hold • success in FAIR -/-> success of WAIL

36. Related Work • Namjoshi/Kurshan, Henzinger/Majumdar • if there is a finite (bi-)simulation quotient then Method 1 with no widening will terminate [and therefore so will Method 2] • Cousot/Cousot • fixpoint + widening more powerful than a single abstract fixpoint

37. Conclusions • Predicate abstraction + refinement and widening can be formally related to each other • Predicate abstraction + refinement = widening with “optimal” guidance

38. Searching for Solutions • Once upon a time, only a human could play a great game of chess… • … but then smart brute force won the day (Deep Blue vs. Kasparov) • Once upon a time, only a human could design a great abstraction…