1 / 60

Model Checking with Proofs and Counterexamples

Model Checking with Proofs and Counterexamples. Anvesh Komuravelli Carnegie Mellon University. Joint work with Arie Gurfinkel , Sagar Chaki , and Edmund Clarke. Safety of Programs. Safe + Proof. Automatic verification for assertion failures. Program P + Safety Assertions.

herb
Download Presentation

Model Checking with Proofs and Counterexamples

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking withProofs and Counterexamples AnveshKomuravelli Carnegie Mellon University Joint work with ArieGurfinkel, SagarChaki, and Edmund Clarke

  2. Safety of Programs Safe + Proof Automatic verification for assertion failures Program P + Safety Assertions Unsafe + Counterexample 0. x := 0; while (x < n) { x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) // x ≥ 0 Loop Invariant

  3. Safety of Programs While-programs (unbounded variables, no procedure calls, no memory operations) Safe + Proof Automatic verification for assertion failures Program P + Safety Assertions Unsafe + Counterexample 0. x := 0; while (x < n) { x := x + 1; } 3. x := -x; 4. assert (x ≤ -1) Counterexample Trace: pc=0. x=0, n=0 pc=1. else branch pc=3. x=0 pc=4. error

  4. Algorithms for Safety • Safety is undecidable! • Reduction from Halting Problem to safety of a 2-counter machine • Existing algorithms use heuristics for verifying many programs in practice • Two broad classes of model checking algorithms: • Generalize feasible and safe behaviors (Proof-Based) • Eliminate infeasible and unsafe behaviors (Counterexample-based) This talk: Improve (A) based on ideas from (B)

  5. Background on Proof-Based algorithms

  6. Programs as Transition Systems Transition System should never hold Variables Error condition Init condition Transition relation encodes how data and control change after every instruction 0. x := 0; 1. while (x < n) { x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) “ “

  7. SAT-Based Model Checking Transition System Counterexample of length 0? Counterexample of length 1? SAT? SAT? … • Boolean SAT is NP-complete, but we have efficient solvers today • SAT modulo theories (SMT) for handling arithmetic, etc. • Eg: is unsatisfiable for integers x, y Bounded Model Checking, Clarke et al., TACAS 1999

  8. SAT-Based Model Checking Transition System Are initial states safe? Counterexample of length 0? Counterexample of length 1? SAT? SAT? … Are 1 step-reachable states safe? Keep track of the reachable states! When do we stop? No upper bound on the length of a counterexample! Even for finite-state systems, the upper bound can be huge! Bounded Model Checking, Clarke et al., TACAS 1999

  9. Keep Track of the Reachable States Usually Hopeless! reach(P) … err(x) States reachable in ≤2 steps States reachable in ≤1 steps Initial States

  10. Reachable states can be diverging! n is a symbolic input 0. x := 0; 1. while (x < n) { x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) reachable states at (pc=1) converged! (diverging) …

  11. Generalize the reachable states! … err(x) Generalize (Heuristics using Craig Interpolation[1,2]) [1] McMillan, Interpolation and SAT-Based Model Checking, CAV 2003 [2] McMillan, Lazy Abstraction with Interpolants, CAV 2006

  12. Generalize the reachable states! … reach(P) err(x)

  13. Proofs and Invariants x ≥ 0 is a loop invariant! 0. x := 0; 1. while (x < n) { x := x + 1; } 3. x := -x; 4. assert (x ≤ 0) reachable states at (pc=1) The actual set of reachable states is stronger: 0 ≤ x ≤ n Proof of Safety Proof of “Bounded” Safety (diverging) …

  14. Many heuristics for generalizations! One possible generalization err(x) Another possible generalization • No unique generalization! • Today’s best algorithms for hardware verification are SAT-based • Several competitive algorithms exist for software

  15. The Problem Generalizations are not always sufficient

  16. Generalizations can suffer from local view State-of-the-art Tool Z3 cannot verify in an hour x = y = z = w = 0; while (*) { // loop invariant: // (x ≥ 4 => y ≥ 100) && (z ≤ 10w) if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) Proofs of Bounded Safety never connect z and w Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.

  17. Abstractions for better generalizations! State-of-the-art Tool Z3 cannot verify in an hour x = y = z = w = 0; while (*) { // loop invariant: // (x ≥ 4 => y ≥ 100) && (z ≤ 10w) if (*) {x++; y += 100;} else if (*) if (x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) { y = −y; } t = 1; w += t; z += 10t; } assert (!(x ≥ 4 && y ≤ 2)) t = *; Verifies the abstraction in < 1 sec. Abstractions only add behaviors Source: Automatically Refining Abstract Interpretations, Gulavani, Chakraborty, Nori and Rajamani, TACAS ‘08.

  18. How to obtain helpful abstractions automatically? An abstraction of the program can dramatically improve generalizations! How to obtain helpful abstractions? How to efficiently and automatically maintain abstractions?

  19. Abstractions are great, but not always! Reachable states of an abstraction Spurious counterexample The second class of algorithms err(x) reach(P) CounterExample-Guided Abstraction Refinement (CEGAR)[1] [1] Clarke et al., Counterexample-Guided Abstraction Refinement, CAV 2000.

  20. Our algorithmSpacer

  21. Spacer(Software Proof-based Abstraction with CounterExample-based Refinement) Program Abstract Fix a Bound Refine Proof-Based Abstraction CEGAR No No Check Safety Invariants? Feasible? Safety Proof Counterexample Yes Yes

  22. Spacer(Software Proof-based Abstraction with CounterExample-based Refinement) Program Abstract Fix a Bound Refine Proof-Based Abstraction CEGAR No No Proofs from Abstractions Check Safety Invariants? Feasible? Safety Proof Counterexample Yes Yes

  23. Spacer(Software Proof-based Abstraction with CounterExample-based Refinement) Program Refinement using Spurious Counterexamples Abstract Fix a Bound Refine Proof-Based Abstraction CEGAR No No Check Safety Invariants? Feasible? Safety Proof Counterexample Yes Yes

  24. Spacer(Software Proof-based Abstraction with CounterExample-based Refinement) Program Abstract Fix a Bound Proof-Based Abstraction Refine Proof-Based Abstraction CEGAR No No Check Safety Invariants? Feasible? Safety Proof Counterexample Yes Yes

  25. Spacer(Software Proof-based Abstraction with CounterExample-based Refinement) Program Abstract Fix a Bound Refine Proof-Based Abstraction CEGAR No No Check Safety Invariants? Feasible? Safety Proof Counterexample Yes Yes

  26. Spacer at a high level Abstraction reach(A1) reach(P) err(x) Initial States of P Generalization/Proof Initial States of A1 Proof-Based Abstraction

  27. Spacer at a high level reach(A1) reach(P) err(x) Spurious counterexample Reachable states of A1 in ≤1 steps

  28. Spacer at a high level Refine A1 to A2 eliminating the spurious counterexample reach(A2) reach(P) err(x) Reachable states of A2 in ≤1 steps Generalization/Proof Reachable states of P in ≤1 steps

  29. Spacer at a high level Fresh abstraction, to avoid bias reach(A3) reach(P) err(x) Proof-Based Abstraction Reachable states of A3 in ≤1 steps Reachable states of P in ≤1 steps

  30. Key Ideas of Spacer Abstractions help obtain (hopefully) more general proofs First integration of Proof-Based Abstraction with SAT/SMT-Based Model Checking Orthogonal to heuristics for Interpolation/Generalization Implementation and Experimental Evidence on C Programs

  31. Abstractions add a new dimension SAT-Based Model Checking … … A b s t r a c t … …

  32. SAT-Based Model Checking with Abstractions Under-approximations … need not be monotonic … A b s t r a c t … …

  33. SAT-Based Model Checking with Abstractions Under-approximations … non-trivial abstraction … A b s t r a c t … …

  34. Spacer(Software Proof-based Abstraction with CounterExample-based Refinement) Program Abstract Fix a Bound Refine Proof-Based Abstraction CEGAR No No Check Safety Invariants? Feasible? Safety Proof Counterexample Yes Yes

  35. Spaceron Example

  36. Spacer on Example x = y = z = w = 0; c = 0; while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Loop Invariants Add Counters Bound  Solve

  37. Spacer on Example Treat as conjectured unbounded invariants. (as in Houdini[1]). x = y = z = w = 0; c = 0; while (*) { //(y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Specific to under-approx. Preserved! Extract Unbounded Invariants Depend on counter [1] Houdini, an annotation assistant for ESC/Java, C. Flanagan and K.R.M. Leino, 2001 Unbounded?  Bound  Solve

  38. Spacer on Example x = y = z = w = 0; c = 0; while (*) { //(y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; } assert (!(x ≥ 4 && y ≤ 2)); Invariants are tooweak! ✖ Abstract Bound Unbounded? NO    Solve

  39. Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w++; z += 10; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Redundant Strengthen with Invariants Bound Unbounded? NO Abstract    Solve

  40. Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { // (y > 10w) => (z < 100x), z ≤ 100x, // x ≤ 2, c ≤ 0 => x ≤ 0, c ≤ 1 => x ≤ 1 assume (c < 2); if (*) {x++; y = *;} else if (* && x ≥ 4) {x++; y = *;} else if (y > 10w && z ≥ 100x) {y = *;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Proof-Based Abstraction Bound Unbounded? NO Abstract    Solve

  41. Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { assume (c < 4); if (*) {x++; y = *;} else if (* && x ≥ 4) {x++; y = *;} else if (y > 10w && z ≥ 100x) {y = *;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Counterexample! Increment x to 4 Choose y arbitrarily Concretize Concrete control path is infeasible Feasible? NO Refine Bound    Solve

  42. Spacer on Example x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { assume (c < 4); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); CEGAR Feasible? NO Refine   Bound  Solve

  43. Spacer onExample x = y = z = w = 0; c = 0; assume (y > 10w => z < 100x, z ≤ 100x); while (*) { //(y > 10w) => (z < 100x), z ≤ 100x // y > 0, (x > 0) => (y ≥ 100) assume (c < 4); if (*) {x++; y += 100;} else if (* && x ≥ 4) {x++; y++;} else if (y > 10w && z ≥ 100x) {y = −y;} else assume (false); w = *; z = *; c += 1; assume (y > 10w => z < 100x, z ≤ 100x); } assert (!(x ≥ 4 && y ≤ 2)); Invariants Unbounded? YES   Solve Bound

  44. Implementation Details

  45. Three Key Components Focus Extracting Unbounded Invariants Proof-Based Abstraction Counterexample Analysis and Refinement How can we efficiently use today’s SAT/SMT solvers?

  46. Extracting Unbounded Invariants An invariant for the transition system is a formula that holds for the initial states and after every transition (initial) φ is an invariant iff (transition) Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I Ls.t.

  47. Extracting Unbounded Invariants Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I Ls.t. SAT? unsat sat, making true SAT? … Re-start from scratch! until fixed point

  48. Extracting Unbounded Invariants Given: A set L of conjectures for invariants, each including “initial states”. Goal: A maximal I Ls.t. Introduce assumption variables unsat sat, making true …

  49. Proof-Based Abstraction A proof of “bounded” safety for is a formula that holds of the initial states and after every transition up to the given bound, and excludes error states. Proof of Bounded Safety (initial) (transition) (safety) Not all of is necessary!

  50. Proof-Based Abstraction unsat UNSAT core unsat unsat Iteratively minimize

More Related