Download
1 / 93
930 likes | 1.07k Views
This document delves into the utilization of Satisfiability Modulo Theories (SMT) within software verification processes, featuring concepts from control flow graphs and lazy abstraction techniques. The focus is on unwinding control flow graphs, computing postconditions, and creating abstractions in software analysis. It also addresses error states and UNSAT results in the context of SMT solving methods. This comprehensive overview aims to equip researchers and developers with the theoretical background and practical considerations necessary for effective software verification.
E N D
SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening , Rummer, Sinha, Jhala, and Majumdar, McMillan
L=0 [L!=0] do{ lock(); old = new; if(*){ unlock(); new++; } } while (new != old); L=1; old=new L=0; new++ [new!=old] program fragment [new==old] control-flow graph Lazy abstraction -- an example
T 0 Unwinding the CFG L=0 [L!=0] L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph
T 0 L=0 T 1 Unwinding the CFG L=0 [L!=0] L=1; old=new Replace all free occurrences of L in the formula with L’ L=0; new++ [new!=old] [new==old] Compute Post (T, L=0)= T[L/L’] ÆL=0[L/L’] = (L=0) Make Abstraction (L=0) T Pass control-flow graph
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ [new!=old] [new==old] control-flow graph
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG T T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ [new!=old] [new==old] control-flow graph
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG T T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph WPre(L!=0, [L!=0]) = (L!=0)
T 0 L=0 T [L!=0] 2 1 Unwinding the CFG L=0 T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph Compute Craig Interpolant: (L=0) 1. (L=0) (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) WPre(L!=0, [L!=0]) = (L!=0)
T 0 L=0 L=0 [L!=0] 2 1 Unwinding the CFG L=0 T L=0 L!=0 L=0 [L!=0] L=0 [L!=0] F L=1; old=new Compute Post (T, [L!=0])= TÆ(L!=0) = (L!=0) ERROR state reached! L=0; new++ L!=0 [new!=old] [new==old] control-flow graph Compute Craig Interpolant: (L=0) 1. (L=0) (L=0) 2. (L=0) Æ (L=0) is UNSAT 3. Use only share var. of (L=0) and (L!=0) WPre(L!=0, [L!=0]) = (L!=0)
L=1; old=new L!=0 3 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] Compute Post (L=0, L=1) = (L=0)[L/L’] ÆL=1[L/L’] = (L’=0 ÆL=1) Compute Post (L’=0 ÆL=1, old=new) = (L’=0 ÆL=1)[old/old’] Æ old=new[old/old’] = L’=0 ÆL=1Æold=new Make Abstraction (L’=0 ÆL=1Æold=new) (L!=0) Pass (L’=0 ÆL=1Æold=new) (L=0) Not Passed [new==old] control-flow graph
L=1; old=new L!=0 3 L=0; new++ L=0 4 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L!=0, L=0) = (L!=0)[L/L’] ÆL=0[L/L’] = (L’!=0 ÆL=0) Compute Post (L’!=0 Æ(L=0), new=new+1) = (L’!=0 ÆL=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 ÆL=0 Æ new=new’+1) Make Abstraction (L’!=0 ÆL=0 Æ new=new’+1) (L!=0) Not Passed (L’!=0 ÆL=0 Æ new=new’+1) (L=0) Pass control-flow graph
L=1; old=new L!=0 3 L=0; new++ L=0 4 [new!=old] L=0 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L=0, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old) (L!=0) Not Passed (L=0 Æ new!=old) (L=0) Pass control-flow graph
L=1; old=new L!=0 3 L=0; new++ L=0 4 [new!=old] L=0 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph Covering: state 5 is subsumed by state 1. L=1 L=1 Pass
[new==old] L=0 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] L=0 5 Compute Post (L=0, [new==old]) = (L=0 Æ new==old) Make Abstraction (L=0 Æ new!=old) (L!=0) Not Passed (L=0 Æ new!=old) (L=0) Pass control-flow graph
L!=0 8 [new==old] L=0 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] L=0 5 No Actions control-flow graph
L!=0 8 [new==old] L=0 7 9 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [new==old]) = (L!=0 Æ new==old) Make Abstraction (L!=0 Æ new==old) (L!=0) Pass (L!=0 Æ new==old) (L=0) Not Passed
L!=0 8 [new==old] [new!=old] L=0 10 7 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [new!=old]) = (L!=0 Æ new!=old) Make Abstraction (L!=0 Æ new!=old) (L!=0) Pass (L!=0 Æ new!=old) (L=0) Not Passed
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph Compute Post (L!=0, [L!=0]) = (L!=0 Æ L!0) ERROR state reached!
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L!=0 L=0 L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L=0 L!=0 Æ old=new L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L!=0 8 [new==old] [new!=old] [L!=0] L=0 10 7 11 9 L!=0 L!=0 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 Remove all of its children L=1; old=new L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0; new++ [new!=old] L=0 4 [new!=old] [new==old] [new==old] L=0 5 control-flow graph L!=0 L!=0 L=0 L!=0 Æ old=new L=1 old=new [L!=0] [new!=old] T L=0 L’=0 Æ L=1Æ old=new L!=0 L!=0 L=0 L!=0 Æ old!=new L!=0 L!=0 Æ old!=new L!=0 Æ old!=new L!=0 Æ old!=new
L=1; old=new L!=0 Æ old =new 3 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph
L=1; old=new L!=0 Æ old =new 3 L=0; new++ L=0 Æ old !=new 4 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L!=0 Æ old =new, L=0) = (L!=0 Æ old=new)[L/L’] ÆL=0[L/L’] = (L’!=0 Æ old=new ÆL=0) Compute Post (L’!=0Æ old=new Æ(L=0), new=new+1) = (L’!=0 Æ old=new ÆL=0)[new/new’] Æ new=(new+1)[new/new’] = (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) Make Abstraction (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (L!=0) Not Passed (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (L=0) Pass (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (old=new) Not Passed (L’!=0 Æ old=new’ ÆL=0 Æ new=new’+1) (old!=new) Pass control-flow graph
L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0 Æ old =new 4 [new!=old] L=0 Æ old!=new 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] Compute Post (L=0 Æ old!=new, [new!=old]) = (L=0 Æ new!=old) Make Abstraction (L=0 Æ new!=old) (L!=0) Not Passed (L=0 Æ new!=old) (L=0) Pass (L=0 Æ new!=old) (old=new) Not Passed (L=0 Æ new!=old) (old!=new) Pass control-flow graph
L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0 Æ old =new 4 [new!=old] L=0 Æ old!=new 5 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=0; new++ [new!=old] [new==old] control-flow graph Covering: state 5 is subsumed by state 1. L=1 Æ old!=new L=1 Pass
[new==old] L=0Æold=new 7 Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] 5 L=0 Æ old!=new Compute Post (L=0, [new==old]) = (L=0 Æ new=old) Make Abstraction (L=0 Æ new=old) (L!=0) Not Passed (L=0 Æ new=old) (L=0) Pass (L=0 Æ new=old) (new!=old) Not Passed (L=0 Æ new=old) (new=old) Pass control-flow graph
L!=0 Æ old=new 8 [new==old] 7 L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] 5 L=0 Æ old!=new No Actions control-flow graph
L!=0 Æ old=new 8 [new==old] L!=0 Æ old=new 7 9 L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] [new==old] 5 L=0 Æ old!=new control-flow graph Compute Post (L!=0Ænew=old, [new==old]) = (L!=0 Æ new=old) Make Abstraction (L!=0 Æ new=old) (L!=0) Pass (L!=0 Æ new=old) (L=0) Not Passed (L!=0 Æ new=old) (old=new) Pass (L!=0 Æ new=old) (old!=new) Not Passed
L!=0 Æ old=new 8 [new==old] [new!=old] L!=0 Æ old=new 10 7 9 F L=0 Æ old=new Unwinding the CFG T 0 L=0 L=0 [L!=0] F [L!=0] L=0 2 1 L=1; old=new L=1; old=new L!=0 Æ old=new 3 L=0; new++ L=0; new++ [new!=old] L=0 Æ old =new 4 [new!=old] [new==old] [new==old] 5 L=0 Æ old!=new control-flow graph Compute Post (L!=0Ænew=old, [new!=old]) = (L!=0 Æ new=old Æ new!=old ) = false
Another Approach: The IMPACT method Kenneth L. McMillan: Lazy Abstraction with Interpolants. CAV 2006: 123-136
Interpolation Lemma (Craig,57)
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B)
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B) • Example: • A = p Ù q, B = Øq Ù r, A' = q
Interpolation Lemma (Craig,57) • Notation: L() is the set of FO formulas over the symbols of • If A Ù B = false, there exists an interpolant A' for (A,B) such that: A Þ A' A' Ù B = false A' 2L(A) ÅL(B) • Example: • A = p Ù q, B = Øq Ù r, A' = q • Interpolants from proofs • in certain quantifier-free theories, we can obtain an interpolant for a pair A,B from a refutation in linear time. [McMillan 05] • in particular, we can have linear arithmetic,uninterpreted functions, and restricted use of arrays
Interpolants for sequences • Let A1...An be a sequence of formulas
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False
Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)
... A1 A2 A3 Ak Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)
... A1 A2 A3 Ak True False ... ) ) ) ) A'1 A'2 A'3 A'k-1 Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An)
... A1 A2 A3 Ak True False ... ) ) ) ) A'1 A'2 A'3 A'k-1 Interpolants for sequences • Let A1...An be a sequence of formulas • A sequence A’0...A’n is an interpolant for A1...An when • A’0 = True • A’i-1Æ Ai) A’i, for i = 1..n • An = False • and finally, A’i2L (A1...Ai) ÅL(Ai+1...An) In other words, the interpolant is a structured refutation of A1...An
x=y; y++; [x=y] Interpolants as Floyd-Hoare proofs
