predicate abstraction for software verification n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Predicate Abstraction for Software Verification PowerPoint Presentation
Download Presentation
Predicate Abstraction for Software Verification

Loading in 2 Seconds...

play fullscreen
1 / 23

Predicate Abstraction for Software Verification - PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on

Predicate Abstraction for Software Verification. Cormac Flanagan Shaz Qadeer. Verifying a Procedure. Given: Precondition Postcondition Loop Invariants specified for all loops Generate a Logical Formula (F) for the procedure And, Prove (using a decision Procedure)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Predicate Abstraction for Software Verification' - gabi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
verifying a procedure
Verifying a Procedure
  • Given:
      • Precondition
      • Postcondition
      • Loop Invariants specified for all loops
  • Generate a Logical Formula (F) for the procedure
  • And, Prove (using a decision Procedure)
    • Precondition && F => Postcondition
this paper
This paper…
  • Specifying Pre & Post conditions of procedures is a useful documentation.
  • Specifying Loop Invariants is tedious and difficult (and “useless”)
  • Infer Loop Invariants, using Predicate Abstraction
outline of presentation
Outline of Presentation
  • Symbolic Simulation using Strongest Postconditions
      • Assuming Loop Invariants are given
  • Infer Loop Invariants using Predicate Abstraction
symbolic simulation1
Symbolic Simulation
  • Convert Java to a Guarded Command Language
  • Starting from the Precondition, determine the Strongest Postcondition
strongest postconditions
Strongest Postconditions
  • Given Q a formula, S a statement
  • Norm(Q,S)
    • Given that Q is true before S
    • Norm(Q,S) is true after Normal Execution of S
  • Wrong(Q,S)
    • Given that Q is true before S
    • Wrong(Q,S) is true when S fails
strongest postcondition semantics
Strongest Postcondition Semantics
  • Norm(Q, assert P) = Q && P
  • Wrong(Q, assert P) = Q && !P
      • When assert P fails we know !P is true
  • Norm(Q, assume P) = Q && P
  • Wrong(Q, assume P) = false
      • assume P never fails
strongest postcondition semantics 2
Strongest Postcondition Semantics (2)
  • Norm(Q,A;B) = Norm(Norm(Q,A), B)
  • Norm(Q, A;B)
    • Norm(Q,A) is true after A
    • This is the Precondition for B
  • Wrong(Q,A;B)
    • Either A fails => Wrong(Q,A) is true
    • Or A succeeds but B fails =>

Wrong(Norm(Q,A), B) is true

  • Wrong(Q,A;B) = Wrong(Q,A) ||

Wrong(Norm(Q,A), B)

strongest postcondition semantics 3
Strongest Postcondition Semantics (3)
  • Norm(Q, AB) = Norm(Q,A) || Norm(Q,B)
  • Wrong(Q, AB) = Wrong(Q,A) || Wrong(Q,B)
  • If(e) x:=y+1 else x:=y+2
  • => (assume e; x:=y+1) 

(assume !e; x:=y+2)

  • Norm: e && x=y+1 || !e && x=y+2
strongest postcondition semantics 4
Strongest Postcondition Semantics (4)
  • Assignments
  • Wrong(Q, x:=e) is false
      • As assignments can never fail
  • Norm(Q, x:=e)
    • Introduce x’ to represent old value of x
    • Replace all occurrences of x in Q, e with x’
    • After the assignment Q is true and x=e is true
  • Norm: x’. x = e(x  x’) && Q(x  x’)
strongest postcondition semantics 5
Strongest Postcondition Semantics (5)
  • For While loops
    • Requires the loop invariant, I
  • Replace the while loop with its Desugar.
  • I: (i<=n) while( i < n ) { i := i+1; }
  • assert I; i = y; assume I;

( (assume i<n; i:=i+1; assert I; assume false)

assume !(i < n))

strongest postcondition semantics 6
Strongest Postcondition Semantics (6)
  • Norm of the desugar:
    • i’.i’<=n && (i<=n) && !(i<n)
    • Loop Inv holds at the beginning
    • Loop Inv and !(Loop Condn) holds at the end
  • Wrong of the desugar:
    • !(i<=n) ||

i’.i’<=n && i”.i”<n && i=i”+1 && !(i<=n)

    • Loop Inv fails at the beginning
    • Loop Inv fails at the end of the loop body
predicate abstraction example

i=0; n=100

T, F, T

i=1; n=100

F, F, T

i=2; n=100

F, T, F

i=99; n=100

i=100; n=100

Predicate Abstraction Example

n := 100; i := 0; while( i < n ) { i := i+1; }

Predicates: i=0 i=n i<n

predicate abstraction1
Predicate Abstraction
  • Given a Concrete System of states.
  • Use a Set of n Predicates Pi to map a concrete state to an abstract state
  • An abstract state contains n bits
  • Bit i represents if Pi is true/false in that state
  • Set of Concrete states

Mapped to a Set of Abstract states

( == Boolean Function)

using predicate abstraction to find the loop invariant
Using Predicate Abstraction to find the Loop Invariant
  • Think of the loop body as a “transition” fn.
  • Starting with a set of concrete states,
  • Symbolically execute the loop,
  • Combine the new states with the init states
  • Repeat till you reach a fixed point

= Set of all “reachable” concrete states

  • Doing the iteration in finite Abstract domain guarantees termination
  • Loop Invariant = Strongest Predicate true for all reachable concrete states.
predicate abstraction algorithm
Predicate Abstraction Algorithm
  •  - Abstraction function
  •  - Concretization function (the inverse)
  • C; while e do B end;
  • r = ( Norm(true, C) )
  • Do(Till Fixed Point of r ){

Current Concrete Set J =  ( r )

Symbolically Execute:

C; Havoc(targets(B)); assume e && J; B

Let Q be the new Concrete Set

r = r ||  ( Q )

}

problems with predicate abstraction
Problems with Predicate Abstraction
  • Determining the set of Predicates is key
  • Expensive
    • Exponential Calls to a Decision Procedure
    • Each call might take (super) exponential time
  • Abstraction is conservative
    • Property P holds in AbsDomain
      • Concrete version of the P holds in ConcDomain
    • If P does not hold in AbsDomain
      • P may or may not hold in ConcDomain
    • Difficult to debug if the program has bugs.
heuristics to pick predicates
Heuristics to Pick Predicates
  • For reference p, p != null
  • For an integer i, i is increasing/decreasing
  • For skolemized constant sc,

0 <= sc, sc < i, a[sc] != null

  • Not sure if it works for anything other than the examples.
optimize calls to the decision procedure
Optimize Calls to the Decision Procedure
  • Query for maximal clause m, only if implied by r
  • Find strongest clause c, that is implied by r
  • A divide and conquer algorithm that “works in practice”
results
Results
  • Seemingly (??) better than previous approaches
  • Predicate Guessing works for 90% of 396 loops in Javafe benchmark
conclusion
Conclusion
  • Problems with the paper
    • Alias Analysis?
    • Interprocedural Analysis?
    • Do not mention any domain where their approach holds