# SLAM - PowerPoint PPT Presentation Download Presentation SLAM

SLAM Download Presentation ## SLAM

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. SLAM • A Microsoft tool for checking safety of device drivers • Inspired BLAST

2. BLAST Berkeley Lazy Abstraction Software * Tool www.eecs.berkeley.edu/~blast/

3. Counter Example Guided RefinementCEGAR Mooly Sagiv

4. Recap • Many abstract domains • Signs • Odd/Even • Constant propagation • Intervals • [Polyhedra] • Canonic abstraction • Domain constructors • … • Static Algorithms • Iterative Chaotic Iterations • Widening/Narrowing • Interprocedural Analysis • Concurrency • Modularity • Non-Iterative methods

5. A Lattice of Abstractions • Every element is an abstract domain • A  A’ if there exists a Galois Connection from A to A’

6. But how to find the appropriate abstract domain • Precision vs. Scalability • Sometimes precision improves scalability • Specialize the abstraction for the desired property

7. Counter Example Guided Refinement (CEGAR) • Run the analysis with a simple abstract domain • When the analysis verifies the property declare done • If the analysis reports an error employs a theorem prover to identify if the error is feasible • If the error is feasible generate a concrete trace • If the error is spurious refine the abstract domain and repeat

8. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x) [x ] z = 5 [x ] y  0 [x P] [x ] F T x = z x = -y [x ] [x ] [x ] assert x >0

9. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y) [x , y ] z = 5 [x , y] y > 0 [x , yN] [x , yP] T F x = z x = -y [x , yP] [x P, yN] [x , y] assert x >0

10. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y), sign(z) [x , y, z ] z = 5 [x , y, zP ] y > 0 [x , yN, zP ] [x , yP, zP ] T F x = z x = -y [x P, yP, zP ] [x P, yN, zP ] [x P, y, zP ] assert x >0

11. Simple Example (local abstractions) z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y), sign(z) [] z = 5 [zP ] y > 0 [yN] [yP, zP] T F x = z x = -y [x P] [x P] [x P] assert x >0

12. Plan • CEGAR in BLAST (inspired by SLAM) POPL’04 • Limitations

13. Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]

14. Scalable Program Verification • Little theorems about big programs • Partial Specifications • Device drivers use kernel API correctly • Applications use root privileges correctly • Behavioral, path-sensitive properties

15. Predicate Abstraction: A crash course Error Initial Program State Space Abstraction • Abstraction: Predicates on program state • Signs: x > 0 • Aliasing: &x  &y • States satisfying the same predicates are equivalent • Merged into single abstract state

16. (Predicate) Abstraction: A crash course Error Initial Program State Space Abstraction Q1: Which predicates are required to verify a property ?

17. The Predicate Abstraction Domain • Fixed set of predicates Pred • The relational domain is <P(P(Pred)), , P(Pred), , > • Join is set union • State space explosion • Special case of canonic abstraction

18. Scalability vs. Verification scalability verification • Few predicates tracked • e.g. type of variables • Imprecision hinders Verification • Spurious counterexamples • Many predicates tracked • e.g. values of variables • State explosion • Analysis drowned in detail

19. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock T F T unlock scalability lock Only track lock • Bogus Counterexample • Must correlate branches Predicatep1makes trace abstractly infeasible pi required for verification

20. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock unlock verification scalability lock Only track lock Track lock, pi s • Bogus Counterexample • Must correlate branches • State Explosion • > 2n distinct states • intractable How can we get scalable verification ?

21. p1 p2 pn By Localizing Precision while (*) { 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } Preds. Used locally Ex: 2 £ n states Preds. used globally Ex: 2n states Q2: Where are the predicates required ?

22. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract • explanation Why infeasible ? [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’01]

23. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement Abstract

24. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement safe Abstract

25. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG This Talk: Counterexample Analysis • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract

26. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

27. Trace Formulas • A single abstract trace represents infinite number of traces • Different loop iterations • Different concrete values • Solution • Only considers concrete traces with the same number of executions • Use formulas to represent sets of states

28. Representing States asFormulas • [F] • states satisfying F {s | s F } • F • FO formula over prog. vars • [F1] [F2] • F1F2 • [F1] [F2] • F1 F2 • [F] • F • [F1] [F2] • F1 implies F2 • i.e. F1  F2 unsatisfiable

29. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

30. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

31. Traces pc1: x = ctr; pc2: ctr = ctr + 1; pc3: y = ctr; pc4: if (x = i-1){ pc5: if (y != i){ ERROR:} } pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) y = x +1

32. Trace Feasibility Formulas pc1: x = ctr pc2: ctr = ctr+1 pc3: y = ctr pc4: assume(x=i-1) pc5: assume(yi) pc1: x1 = ctr0 pc2: ctr1 = ctr0+1 pc3: y1 = ctr1 pc4: assume(x1=i0-1) pc5: assume(y1i0) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Trace SSA Trace Trace Feasibility Formula Theorem: Trace is Feasible, TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]

33. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

34. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

35. Proof of Unsatisfiability x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 x1 = ctr0 x1 = i0 -1 ctr1= ctr0+1 ctr0 = i0-1 ctr1 = i0 y1= ctr1 y1= i0 y1 i0 ; Proof of Unsatisfiability Trace Formula • PROBLEM • Proof uses entire history of execution • Information flows up and down • No localized or state information !

36. The Present State… Trace pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) … is all the information the executing program has here State… 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible At pc4, which predicate on present state shows infeasibility of suffix ?

37. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

38. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1  y1i0 x1 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 State… Predicate … … implied by TF prefix … on common variables 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

39. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

40. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible

41. + - Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -+ is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has symbols common to -, + • + is unsatisfiable 

42. Examplesof Craig’s Interpolation • - =b  (b c) + =c • - =x1 =ctr0  ctr1=ctr0+1y1=ctr1+ =x1=i0-1 y1i0 • y1 = x1 + 1

43. Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has only symbols common to -, + • + is unsatisfiable  computable from Proof of Unsat. of - + [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]

44. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate  + Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables common = current value 3. Predicate & suffix yields a contradiction

45. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate  + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. + is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

46. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Predicate at pc4: y= x+1 - Interpolate  pc4 + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

47. Building Predicate Maps Predicate Map pc2: x= ctr Trace Trace Formula - pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Interpolate x1 = ctr0 + pc2 • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

48. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x= ctr-1 Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate x1= ctr1-1 pc3 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

49. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y= i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate y1= i0 pc5 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

50. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Theorem:Predicatemap makes trace abstractly infeasible