predicate abstraction of ansi c programs using sat l.
Download
Skip this Video
Download Presentation
Predicate Abstraction of ANSI-C Programs using SAT

Loading in 2 Seconds...

play fullscreen
1 / 27

Predicate Abstraction of ANSI-C Programs using SAT - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Predicate Abstraction of ANSI-C Programs using SAT. Edmund Clarke Daniel Kroening Natalia Shar y gina Karen Yorav (modified by Zaher Andraus for presentation in SWERVE only). Abstraction Refinement Loop. No error or bug found. Initial Abstraction. Verification. Actual Program.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Predicate Abstraction of ANSI-C Programs using SAT' - jorn


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
predicate abstraction of ansi c programs using sat

Predicate Abstraction ofANSI-C Programs using SAT

Edmund Clarke

Daniel KroeningNatalia SharyginaKaren Yorav

(modified by Zaher Andraus for presentation in SWERVE only)

abstraction refinement loop
Abstraction Refinement Loop

No erroror bug found

Initial

Abstraction

Verification

ActualProgram

ModelChecker

BooleanProgram

Spurious

counterexample

Abstraction refinement

  • This talk: How to compute Boolean program from
    • Actual ANSI-C program
    • Set of predicates
example
Example

int main()

{

bool p1, p2;

p1=TRUE;

p2=TRUE;

while(p2)

{

p1=p1?FALSE:nondet();

p2=!p2;

}

}

int main()

{

int i;

i=0;

while(even(i))

i++;

}

+

=

p1 i=0

p2 even(i)

problem
Problem

Concrete Transition

(basic block)

Concretestate

Concretenext state

Abstraction

function

(predicates)

Abstractstate

Abstractnext state

Abstract Transition

(basic block)

background
Background
  • How to create the initial predicates for abstraction?
    • (PVS) Manual! (Graf and Saidi, “Construction of abstract state graphs with PVS”)
    • (SLAM) Manual! (Ball, Majumdar, Millstein, Rajamani, “Automatic Predicate Abstraction of C Programs”)
    • (Clarke) Control-Driven! (Chaki, Clarke, Groce, Strichman, “Predicate Abstraction with Minimum Predicates”)

(modified by Zaher Andraus for presentation

in SWERVE only)

initial abstract machine
Initial Abstract Machine

(modified by Zaher Andraus for presentation

in SWERVE only)

optimizations
Optimizations
  • Eliminate Redundant Predicates (e.g. logically related)
  • Dynamic
  • Now we got the Predicates, we need to build the abstract machine!

(modified by Zaher Andraus for presentation

in SWERVE only)

existing tools
Existing Tools
  • Basic idea: with n predicates, there are2n£ 2n possible abstract transitions
  • Eliminate “obviously wrong” transitions(e.g.: predicate about variable x changes, but basic block does not mention x)
  • Try some subset of these possible transitions using a theorem prover
  • To be safe, remaining abstract transitions are added Over-approximation
existing tools example
Existing Tools: Example

Predicates

Basic Block

Formula

i++;

Query

?

Current Abstract State

Next Abstract State

existing tools example10
Existing Tools: Example

Predicates

Basic Block

Formula

i++;

Query

?

… and so on …

Current Abstract State

Next Abstract State

comment
Comment
  • This takes care of unreachable abstract states

(modified by Zaher Andraus for presentation

in SWERVE only)

what is the problem
What is the problem?

Problem of existing tools:

  • Large number of expensive theorem prover calls – slow
  • Over-approximation yields additional,unnecessary spurious counterexamples
  • Theorem prover works on natural numbers, but ANSI-C uses bit-vectors  false positives
  • Most theorem provers support only few operators(+, -, <, ≤, …), no bitwise operators
  • Very limited support for pointers,in particular pointer arithmetic
our solution use sat solver
Our Solution – use SAT solver!
  • Generate query equation withpredicates as free variables
our solution
Our Solution

Single query for Theorem Prover

Query for SAT

queries for larger basic blocks
Queries for Larger Basic Blocks

Basic Block

Predicates

i++;

j=i;

i=i*k;

i1=i0+1;

j1=i1;

i2=i1*k0;

+

Query for SAT

our solution16
Our Solution

Query for SAT

Use SAT solver!

  • Generate query equation withpredicates as free variables
  • Transform equation into CNF using Bit Vector LogicOne satisfying assignment matches one abstract transition
  • Obtain all satisfying assignments= most precise abstract transition relation
our solution17
Our Solution

Use SAT solver!

  • Generate query equation withpredicates as free variables
  • Transform equation into CNF using Bit Vector LogicOne satisfying assignment matches one abstract transition
  • Obtain all satisfying assignments= most precise abstract transition relation

This solves two problems:

  • Now can do all ANSI-C integer operators, including *, /, %, <<, etc.
  • Sound with respect to overflow

No moreunnecessary spurious counterexamples!

pointers
Pointers

Support for pointer expressions:

  • Address expression is translated into a bit vector with two components:
    • Object pointed at
    • Integer width offset within object (for arrays)
  • Supported operators:
    • &, *, [i]
    • Pointer + Integer (increases offset)
    • Pointer – Pointer
    • Pointer rel Pointer, with rel one of <,>,=, etc.
  • Check for illegal pointer operations added automatically
    • NULL reference, array bounds violation, etc…
pointers explanation
Pointers: Explanation…
  • Paper p. 113-114

(modified by Zaher Andraus for presentation

in SWERVE only)

control flow statements
Control-Flow Statements
  • Paper p. 117

(modified by Zaher Andraus for presentation

in SWERVE only)

the set of satisfying assignments
The Set of Satisfying Assignments

How do we obtain the set of all satisfying assignments?

  • This is a common problem – also needed for
    • Image computation / hardware verification
    • QBF solvers
  • Naïve approach:
  • Run SAT
  • If Satisfying assignment found then
    • add blocking clause
    • continue with 1)
performance
Performance

How does the performance compare with existing approaches?

  • Runtime potentially exponential
  • Exponential part is inside SAT solver,instead of exponential number ofTheorem Prover calls
  • SAT solver is not re-started; all the learning and pruning done by modern SAT solvers is retained between iterations.
  • All heuristics for “obvious” transitions are still applicable
performance23
Performance
  • Worst case:all possible assignments are satisfying
  • Formula includes addition operator
  • Runtime uncritical up to 2^14 assignments
performance24
Performance
  • More realistic experiment: two 32-bit variables, plus n predicates
  • Various operators: +, <, shifting, xor, or, and, combinations thereof, …
  • All predicates are affected by basic block

Compare to 2n£ 2n potential theorem prover calls!

performance improvements
Performance Improvements

Better than enumerating?

  • Approximation of set cover obtains small set of predicates that is actually required to cover the CNF
  • Analyze literal dependency graph to identify free variables

Both techniques yield a set of abstract

transitions

performance improvements26
Performance Improvements

Expensive operators

Instead of adding full clause structure for expensive operators such as %, /, *,make it uninterpreted, and add important properties as constraints:

  • Transitivity
  • Congruence Closure
  • Commutativity
  • Special cases (x/1=x, …)
  • Others: x/y, y>1  x>x/y etc.
future work
Future Work
  • Interval abstraction for floating point arithmetic
  • Experiments with full abstraction refinement loop: Evaluate effect of more precise abstraction
  • Try predicate abstraction to actually prove properties of computed values
  • Predicate abstraction for concurrent programs