Predicate Abstraction of ANSI-C Programs using SAT

1 / 27

Predicate Abstraction of ANSI-C Programs using SAT - PowerPoint PPT Presentation

Predicate Abstraction of ANSI-C Programs using SAT. Edmund Clarke Daniel Kroening Natalia Shar y gina Karen Yorav (modified by Zaher Andraus for presentation in SWERVE only). Abstraction Refinement Loop. No error or bug found. Initial Abstraction. Verification. Actual Program.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about 'Predicate Abstraction of ANSI-C Programs using SAT' - jorn

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Predicate Abstraction ofANSI-C Programs using SAT

Edmund Clarke

Daniel KroeningNatalia SharyginaKaren Yorav

(modified by Zaher Andraus for presentation in SWERVE only)

Abstraction Refinement Loop

No erroror bug found

Initial

Abstraction

Verification

ActualProgram

ModelChecker

BooleanProgram

Spurious

counterexample

Abstraction refinement

• This talk: How to compute Boolean program from
• Actual ANSI-C program
• Set of predicates
Example

int main()

{

bool p1, p2;

p1=TRUE;

p2=TRUE;

while(p2)

{

p1=p1?FALSE:nondet();

p2=!p2;

}

}

int main()

{

int i;

i=0;

while(even(i))

i++;

}

+

=

p1 i=0

p2 even(i)

Problem

Concrete Transition

(basic block)

Concretestate

Concretenext state

Abstraction

function

(predicates)

Abstractstate

Abstractnext state

Abstract Transition

(basic block)

Background
• How to create the initial predicates for abstraction?
• (PVS) Manual! (Graf and Saidi, “Construction of abstract state graphs with PVS”)
• (SLAM) Manual! (Ball, Majumdar, Millstein, Rajamani, “Automatic Predicate Abstraction of C Programs”)
• (Clarke) Control-Driven! (Chaki, Clarke, Groce, Strichman, “Predicate Abstraction with Minimum Predicates”)

(modified by Zaher Andraus for presentation

in SWERVE only)

Initial Abstract Machine

(modified by Zaher Andraus for presentation

in SWERVE only)

Optimizations
• Eliminate Redundant Predicates (e.g. logically related)
• Dynamic
• Now we got the Predicates, we need to build the abstract machine!

(modified by Zaher Andraus for presentation

in SWERVE only)

Existing Tools
• Basic idea: with n predicates, there are2n£ 2n possible abstract transitions
• Eliminate “obviously wrong” transitions(e.g.: predicate about variable x changes, but basic block does not mention x)
• Try some subset of these possible transitions using a theorem prover
• To be safe, remaining abstract transitions are added Over-approximation
Existing Tools: Example

Predicates

Basic Block

Formula

i++;

Query

?

Current Abstract State

Next Abstract State

Existing Tools: Example

Predicates

Basic Block

Formula

i++;

Query

?

… and so on …

Current Abstract State

Next Abstract State

Comment
• This takes care of unreachable abstract states

(modified by Zaher Andraus for presentation

in SWERVE only)

What is the problem?

Problem of existing tools:

• Large number of expensive theorem prover calls – slow
• Over-approximation yields additional,unnecessary spurious counterexamples
• Theorem prover works on natural numbers, but ANSI-C uses bit-vectors  false positives
• Most theorem provers support only few operators(+, -, <, ≤, …), no bitwise operators
• Very limited support for pointers,in particular pointer arithmetic
Our Solution – use SAT solver!
• Generate query equation withpredicates as free variables
Our Solution

Single query for Theorem Prover

Query for SAT

Queries for Larger Basic Blocks

Basic Block

Predicates

i++;

j=i;

i=i*k;

i1=i0+1;

j1=i1;

i2=i1*k0;

+

Query for SAT

Our Solution

Query for SAT

Use SAT solver!

• Generate query equation withpredicates as free variables
• Transform equation into CNF using Bit Vector LogicOne satisfying assignment matches one abstract transition
• Obtain all satisfying assignments= most precise abstract transition relation
Our Solution

Use SAT solver!

• Generate query equation withpredicates as free variables
• Transform equation into CNF using Bit Vector LogicOne satisfying assignment matches one abstract transition
• Obtain all satisfying assignments= most precise abstract transition relation

This solves two problems:

• Now can do all ANSI-C integer operators, including *, /, %, <<, etc.
• Sound with respect to overflow

No moreunnecessary spurious counterexamples!

Pointers

Support for pointer expressions:

• Address expression is translated into a bit vector with two components:
• Object pointed at
• Integer width offset within object (for arrays)
• Supported operators:
• &, *, [i]
• Pointer + Integer (increases offset)
• Pointer – Pointer
• Pointer rel Pointer, with rel one of <,>,=, etc.
• Check for illegal pointer operations added automatically
• NULL reference, array bounds violation, etc…
Pointers: Explanation…
• Paper p. 113-114

(modified by Zaher Andraus for presentation

in SWERVE only)

Control-Flow Statements
• Paper p. 117

(modified by Zaher Andraus for presentation

in SWERVE only)

The Set of Satisfying Assignments

How do we obtain the set of all satisfying assignments?

• This is a common problem – also needed for
• Image computation / hardware verification
• QBF solvers
• Naïve approach:
• Run SAT
• If Satisfying assignment found then
• continue with 1)
Performance

How does the performance compare with existing approaches?

• Runtime potentially exponential
• Exponential part is inside SAT solver,instead of exponential number ofTheorem Prover calls
• SAT solver is not re-started; all the learning and pruning done by modern SAT solvers is retained between iterations.
• All heuristics for “obvious” transitions are still applicable
Performance
• Worst case:all possible assignments are satisfying
• Runtime uncritical up to 2^14 assignments
Performance
• More realistic experiment: two 32-bit variables, plus n predicates
• Various operators: +, <, shifting, xor, or, and, combinations thereof, …
• All predicates are affected by basic block

Compare to 2n£ 2n potential theorem prover calls!

Performance Improvements

Better than enumerating?

• Approximation of set cover obtains small set of predicates that is actually required to cover the CNF
• Analyze literal dependency graph to identify free variables

Both techniques yield a set of abstract

transitions

Performance Improvements

Expensive operators

Instead of adding full clause structure for expensive operators such as %, /, *,make it uninterpreted, and add important properties as constraints:

• Transitivity
• Congruence Closure
• Commutativity
• Special cases (x/1=x, …)
• Others: x/y, y>1  x>x/y etc.
Future Work
• Interval abstraction for floating point arithmetic
• Experiments with full abstraction refinement loop: Evaluate effect of more precise abstraction
• Try predicate abstraction to actually prove properties of computed values
• Predicate abstraction for concurrent programs