1 / 69

Counter Example Guided Refinement CEGAR

Counter Example Guided Refinement CEGAR. Mooly Sagiv. Recap. Many abstract domains Signs Odd/Even Constant propagation Intervals [Polyhedra] Canonic abstraction Domain constructors … Static Algorithms Iterative Chaotic Iterations Widening/Narrowing Interprocedural Analysis

penner
Download Presentation

Counter Example Guided Refinement CEGAR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Counter Example Guided RefinementCEGAR Mooly Sagiv

  2. Recap • Many abstract domains • Signs • Odd/Even • Constant propagation • Intervals • [Polyhedra] • Canonic abstraction • Domain constructors • … • Static Algorithms • Iterative Chaotic Iterations • Widening/Narrowing • Interprocedural Analysis • Concurrency • Modularity • Non-Iterative methods

  3. A Lattice of Abstractions • Every element is an abstract domain • A  A’ if there exists a Galois Connection from A to A’

  4. But how to find the appropriate abstract domain • Precision vs. Scalability • Sometimes precision improves scalability • Specialize the abstraction for the desired property

  5. Counter Example Guided Refinement (CEGAR) • Run the analysis with a simple abstract domain • When the analysis verifies the property declare done • If the analysis reports an error employs a theorem prover to identify if the error is feasible • If the error is feasible generate a concrete trace • If the error is spurious refine the abstract domain and repeat

  6. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x) [x ] z = 5 [x ] y > 0 [x P] [x ] F T x = z x = -y [x ] [x ] [x ] assert x >0

  7. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y) [x , y ] z = 5 [x , y] y > 0 [x , yN] [x , yP] T F x = z x = -y [x , yP] [x P, yN] [x , y] assert x >0

  8. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y), sign(z) [x , y, z ] z = 5 [x , y, zP ] y > 0 [x , yN, zP ] [x , yP, zP ] T F x = z x = -y [x P, yP, zP ] [x P, yN, zP ] [x P, y, zP ] assert x >0

  9. Simple Example (local abstractions) z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y), sign(z) [x , y, z ] z = 5 [x , y, zP ] y > 0 [x , yN, z] [x , yP, zP] T F x = z x = -y [x P, y, z ] [x P, y, z ] [x P, y, z ] assert x >0

  10. Plan • CEGAR in BLAST (inspired by SLAM) POPL’04 • Limitations

  11. Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]

  12. Scalable Program Verification • Little theorems about big programs • Partial Specifications • Device drivers use kernel API correctly • Applications use root privileges correctly • Behavioral, path-sensitive properties

  13. Predicate Abstraction: A crash course Error Initial Program State Space Abstraction • Abstraction: Predicates on program state • Signs: x > 0 • Aliasing: &x  &y • States satisfying the same predicates are equivalent • Merged into single abstract state

  14. (Predicate) Abstraction: A crash course Error Initial Program State Space Abstraction Q1: Which predicates are required to verify a property ?

  15. The Predicate Abstraction Domain • Fixed set of predicates Pred • The relational domain is <P(P(Pred)), , P(Pred), , > • Join is set union • State space explosion • Special case of canonic abstraction

  16. Scalability vs. Verification scalability verification • Few predicates tracked • e.g. type of variables • Imprecision hinders Verification • Spurious counterexamples • Many predicates tracked • e.g. values of variables • State explosion • Analysis drowned in detail

  17. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock T F T unlock scalability lock Only track lock Bogus Counterexample • Must correlate branches Predicatep1makes trace abstractly infeasible pi required for verification

  18. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock unlock verification scalability lock Only track lock Track lock, pi s Bogus Counterexample • Must correlate branches State Explosion • > 2n distinct states • intractable How can we get scalable verification ?

  19. p1 p2 pn By Localizing Precision while (*) { 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } Preds. Used locally Ex: 2 £ n states Preds. used globally Ex: 2n states Q2: Where are the predicates required ?

  20. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract • explanation Why infeasible ? [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’01]

  21. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement Abstract

  22. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement safe Abstract

  23. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG This Talk: Counterexample Analysis • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract

  24. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

  25. Trace Formulas • A single abstract trace represents infinite number of traces • Different loop iterations • Different concrete values • Solution • Only considers concrete traces with the same number of executions • Use formulas to represent sets of states

  26. Representing States asFormulas [F] states satisfying F {s | s² F } F FO fmla over prog. vars [F1] Å [F2] F1ÆF2 [F1] [ [F2] F1 ÇF2 [F] : F [F1] µ [F2] F1 implies F2 i.e. F1Æ: F2 unsatisfiable

  27. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  28. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  29. Traces pc1: x = ctr; pc2: ctr = ctr + 1; pc3: y = ctr; pc4: if (x = i-1){ pc5: if (y != i){ ERROR:} } pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) y = x +1

  30. Trace Feasibility Formulas pc1: x = ctr pc2: ctr = ctr+1 pc3: y = ctr pc4: assume(x=i-1) pc5: assume(yi) pc1: x1 = ctr0 pc2: ctr1 = ctr0+1 pc3: y1 = ctr1 pc4: assume(x1=i0-1) pc5: assume(y1i0) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Trace SSA Trace Trace Feasibility Formula Theorem: Trace is Feasible, TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]

  31. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  32. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  33. Proof of Unsatisfiability x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 x1 = ctr0 x1 = i0 -1 ctr1= ctr0+1 ctr0 = i0-1 ctr1 = i0 y1= ctr1 y1= i0 y1 i0 ; Proof of Unsatisfiability Trace Formula • PROBLEM • Proof uses entire history of execution • Information flows up and down • No localized or state information !

  34. The Present State… Trace pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) … is all the information the executing program has here State… 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible At pc4, which predicate on present state shows infeasibility of suffix ?

  35. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  36. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 x1 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 State… Predicate … … implied by TF prefix … on common variables 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  37. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  38. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible

  39. Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has symbols common to -, + • Æ+ is unsatisfiable

  40. Examplesof Craig’s Interpolation • - =b  (b c) + =c • - =x1 =ctr0  ctr1=ctr0+1y1=ctr1+ =x1=i0-1 y1i0 • y1 = x1 + 1

  41. Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has symbols common to -, + • Æ+ is unsatisfiable  computable from Proof of Unsat. of - Æ+ [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]

  42. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate  + Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables common = current value 3. Predicate & suffix yields a contradiction

  43. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate  + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

  44. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Predicate at pc4: y= x+1 - Interpolate  pc4 + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

  45. Building Predicate Maps Predicate Map pc2: x= ctr Trace Trace Formula - pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Interpolate x1 = ctr0 + pc2 • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  46. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x= ctr-1 Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate x1= ctr1-1 pc3 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  47. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y= i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate y1= i0 pc5 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  48. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Theorem:Predicatemap makes trace abstractly infeasible

  49. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

  50. Traces with Procedure Calls Trace Trace Formula pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume (x1=x3+2) pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume(x1=x3+2) Find predicate needed at point i i i

More Related