1 / 27

Combining Predicate and Numeric Abstraction for Software Model Checking

Combining Predicate and Numeric Abstraction for Software Model Checking. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel and Sagar Chaki. Automated Software Analysis. Correct. Automated Analysis. Program. Incorrect.

kadeem
Download Presentation

Combining Predicate and Numeric Abstraction for Software Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel and Sagar Chaki

  2. Automated Software Analysis Correct Automated Analysis Program Incorrect Software Model Checking with Predicate Abstraction e.g., Microsoft’s SDV Abstract Interpretation with Numeric Abstraction e.g., ASTREE, Polyspace

  3. Unrealistic PA Precision NA Scalability Predicate and Numeric Abstractions • Predicate Abstraction (PA) (e.g., SDV) • Typical property: no lock is acquired twice • Program verification reduced topropositional reasoning with model checker • Works wellfor control-driven programs • Works poorly for data-driven programs • Numeric Abstraction (NA) (e.g, ASTREE) • Typical property: no arithmetic overflow • Program verification reduced to arithmetic reasoning • Works well for data-driven programs • Works poorly for control-driven programs • How to combine PA and NA to get the best of both?

  4. Outline • Predicate and Numeric Abstract for Program Analysis • Strength and Weakness • An “Ideal” Combination • PA+NA Combination • Abstract Transformers • Data Structures • Experimental Results • Current and Future Work

  5. if (tt) p := 1; else if (ff) p := 0; else p := *; p := ch(tt,ff) Predicate Abstraction: An Example p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Concrete Program Abstract Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4);

  6. Analysis with Predicate Abstraction p1:i=1 p2:i=2 p3:x1>0 p4:x2<0 Abstract Program assume (p1 || p2) if (p1) p3 := ch(p1||p2,false); else if (p2) p4 := true if (p1) assert (p3); else if (p2) assert (p4); p1 || p2 p1 p1&&p3 p1&&p3 || !p1&&p2&&p4 !p1&&p2 !p1&&p2&&p4 p1&&p3 Can prove safety !p1&&p2&&p4

  7. Numeric Abstract Interpretation • Analysis is restricted to a fixed Abstract Domain • Abstract Domain ≡ “a (possibly infinite) set of predicates from a fixed theory” + efficient operations • Examples of Numeric Abstract Domains • Signs 0 < x, x = 0, x > 0 • Intervals c1 x  c2, where c1,c2 are a constants • Octagons ± x ± y  c, where c is a constant • Polyhedra a1x1 + a2x2 +a3x3 + a4 0, where ai are constants

  8. Numeric Abstraction: An Example Abstraction Concrete Program Abstract Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i = 2) assert (x2 < 0); assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0);

  9. Analysis with Intervals NA (1) Abstract Program assume (i=1 || i=2) if (i = 1) x1 := i; else if (i = 2) x2 := -4; if (i = 1) assert (x1 > 0); else if (i := 2) assert (x2 < 0); 1 <= i <= 2 i=1 1 <= i <= 2 i=1 && x1=1 i=2 Loss of precision due to join i=2 && x2=-4 i=1 Cannot prove safety i=2

  10. Analysis with Intervals NA (2) Abstract Program if (3 <= y1 <= 4) { x1 := y1-2; x2 := y1+2; } else if (3 <= y2 <= 4) { x1 := y2-2; x2 := y2+2; } else return; assert (5 <= x1 + x2 <= 10); 3 <= y1 <= 4 3 <= y1 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1 <= x1 <= 2 5 <= x2 <= 6 3 <= y2 <= 4 1<=x1<=2 5<=x2<=6 Using PA expensive!

  11. Abstraction “Ideal” combination of PA + NA Concrete Program Abstract Program assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) Predicates: p: A[y1+y2]=3 q: A[x1+x2]=3 Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

  12. Abstraction “Ideal” combination of PA + NA Concrete Program Abstract Program Parallel composition assume (x1 = x2); if (A[y1+y2] = 3) { x1 := y1 – 2; x2 := y2 + 2; } else A[x1+x2] := 5; if (A[x1+x2] = 3) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1=y1-2)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) Abstract with Predicates p: A[y1+y2]==3 q: A[x1+x2]==3 Concrete transformer a.k.a. program statement Abstract transformer Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

  13. Analyzing with PA + NA Abstract Program x1=x2 p && x1=x2 p && q && x1=y1-2 && x2=y2+2 || !p && !q && x1=x2 assume (x1 = x2); if (p) { x1 := y1 – 2 && q := *; x2 := y2 + 2 &&& q := ch ((x1+2 = y1)&&p,f) } else q := false; if (q) { x1 := x1 + x2; x2 := x2+y1-2; } assert (x1 = x2) p && x1=y1-2 p && q && x1=y1-2 && x2=y2+2 !p && !q && x1=x2 p && q && x1=y1+y2 && x2=y2+y1 && x1=x2 || !p && !q && x1=x2 p && q && x1=y1-2 && x2=y2+2 p && q && x1=y1+y2 && x2=y2+2 p && q && x1=y1+y2 && x2=y2+y1 && x1=x2 Predicates: p: A[y1+y2]=3, q: A[x1+x2]=3

  14. Implementation-dependent. Influences precision and scalability. NumPredDom Interface • interface NumPredDom(VN,VP) extends AbsDom • VN – numeric variables, VP – predicates, e – conjunctive expression • projP (VP,e) = conjunction of predicates from VP s.t. e projP (VP,e) • projN(VN,e) = conjunction of constraints over VN s.t. e projN (VP,e) • αP : E → A αN : E → A unprime : A → A • reduce : A → A exists : 2VP A → A αPostN : S → (A → A) Information Sharing between NA and PA: Factored out for efficiency Lift propositional-only abstract transformer Lift numeric-only abstract transformer

  15. abstract project NumPredDom: Definition of α conjunctions • α(e1  e2) = meet ( α(e1) , α(e2) ) • α(e1  e2) = join ( α(e1) , α(e2) ) • α(e) = meet ( αP(projP (VP  VP’, e)), αN(projN (VN, e)) ) disjunctions combine

  16. base-case NumPredDom: Abstract Transformers • v ::= numeric expression • e ::= Boolean expression over predicate and numeric terms • τ::= τN| τa| τc| τP| τNP|τ || τ|τ ; τ • τNP ::= (e ? τN) &&& τP (numeric + predicate) • τP ::= p := ch (e, e) |τP &&& τP (predicate) • τc ::= e ? τN (conditional) • τa ::= assume (e) (assume) • τN ::= x := v | τN &&& τN (numeric) sequence non-det

  17. Transformer Examples Predicates: p1:z=&x, p2:z=&y, p3:y=1 Concrete Transformer Abstract Transformer assume (*z > 0) (p1&&x>0 || p2&&y>0 || !p1&&!p2 )? skip (p1? x := u + 1) || (p2 ? y := u+1) || (!p1 && !p2 ? skip) *z = u + 1 (p3 ? x := v || !p3 ? x := w) &&& p3 := ch (x=1,x!=1) y = x &&& x = (y-1? v : w)

  18. NumPredDom: Four Implementations Precision

  19. Summary of the Data Structures

  20. Tool Implementation • Java Implementation • Numeric domains implemented on top of Apron library Reachability Analysis Annotated CFG + Initial Node + Target Node Source Report Frontend • Fixed point computation with widening • “Simple” automated abstraction-refinement • Check is CE is spurious using WP + TP • Add new numeric variables in UNSAT core first • Add new predicates only if all numeric variables in UNSAT core already present

  21. Experimental Results • Synthetic examples used to validate specific conjectures • NEX & MTNDD better than NDD when numeric joins are exact • Since NDD uses exact unions while others use numeric join • NDD better than others when invariants are propositionally complex • Since NDD has the most sharing capability • Realistic examples used to gauge overall performance • Medley: 22 examples: Zitser buffer overflow (3), OpenSSL (2), engine controller (9), Micro-C OS (2), Device drivers (6)

  22. Negative running time means failure

  23. Experimental Results: Medley (2) (Total # of examples = 22; all times are in seconds)

  24. Negative running time means failure

  25. Related Work • Abstract Interpretation [CC’92] • Our domain ≈ reduced direct product of Predicate and Numeric domains • Jain et al. [CAV’06] • Applies numeric invariants to simplify predicate abstraction • Weaker than NEXPoint • Fischer et al. [FSE’05], Beyer et al. [CAV’07,CAV’06] • Predicate abstraction + Abstract Domain • Similar to NEXPoint, but with simpler transfer functions • Bultan et al. [TOSEM’00] • MC of programs with Boolean and numeric variables using Omega library • Similar to NEX, but with simpler transfer functions

  26. Current and Future Work • Augmenting our benchmark suite • Better automated abstraction-refinement for PA + NA • In this work, the abstract domain is treated as a black box. Exploring tighter integration between predicate and numeric domains • smarter numeric transfer functions, • smarter DD variable ordering, etc. • We support intervals, octagons and polyhedra. Looking for combinations with other (numeric) domains

More Related