1 / 25

Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America

Induction in CEGAR for Detecting Counterexamples. Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America. Background. Detecting long counterexamples is a hard problem Bounded model checking [Biere et al 1999]

thor
Download Presentation

Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Induction in CEGAR for Detecting Counterexamples Chao Wang, Aarti Gupta, Franjo Ivancic NEC Laboratories America

  2. Background • Detecting long counterexamples is a hard problem • Bounded model checking [Biere et al 1999] • Counterexample guided abstraction refinement (CEGAR) [Kurshan 1994] [Clarke et al. 2000] [Ball et al. 2001] • Interpolation [McMillan 2003] • Induction has been used in model checking for finding proofs • To prove the absence of counterexample • [Sheeran et al. 2000] [Gupta et al. 2003] [de Moura et al. 2003] • It has never been used for finding bugs • We use induction to prove the existence of counterexamples • Target counterexamples that are long and can be captured by regular patterns • Related works • [Bjesse & Kukula 2004] [Nashi & Somenzi 2006] • [Kroening & Weissenbacher 2006] [Ball, Kupferman, Sagiv 2007]

  3. A Motivating Example P: (i<n) A simple and yet representative bug (e.g., array bound violation) P: (i<n) P1: (i+1<n) P2: (i+2<n) …

  4. A Motivating Example • Our Observations: • Counterexample exists regardless of the value of ‘n’ • Counterexample has a regular pattern

  5. Outline • Background • Identifying the Counterexample Pattern • Proving the Existence of Counterexample • Experiments • Conclusions

  6. Parameterized Counterexamples induction parameter recurring segment suffix prefix

  7. Identifying Counterexample Pattern recurring segment suffix prefix • Idea: look at the spurious counterexamples produced by CEGAR Spurious counterexamples in CEGAR: (1)(2)(3)(4)(5) (6)(7) (1)(2)(3)(4)(5) (6)(7)(8) (6)(7) (1)(2)(3)(4)(5) (6)(7)(8) (6)(7)(8) (6)(7) … (1)(2)(3)(4)(5) {(6)(7)(8)}n(6)(7)

  8. Using Induction in the CEGAR Loop Bug found yes no Abstraction Refinement found CEX Induction to prove existence of CEX Model Checking no Concretize abstract counterexample concrete CEX yes Bug found found CEX no Proved CEGAR: [Kushan 1994] [Clarke et al. 2000] [Ball and Rajamani 2000] Step1. identify pattern Step2. induction proof yes

  9. Concretization Test (standard) Abstract counterexample Concrete pre-condition computation

  10. Concretization with Back-leaping At the failing index i such that Find two indexes k and j such that and

  11. Identifying the Induction Parameter head of suffix tail of recurring segment (i <= n) Parameterized counterexample: (1)(2)(3)(4)(5) {(6)(7)(8)}n(6)(7) This is a heurstic (to be verified by induction proof)

  12. Parameterized Traces In prefix, find assignment to n n = expr ; Rewrite it into n = k ; We can set the symbolic value k = 1, 2, 3, …

  13. Outline • Background • Identifying the Counterexample Pattern • Proving the Existence of Counterexample • Experiments • Conclusions

  14. Using Induction in the CEGAR Loop Bug found yes no Abstraction Refinement found CEX Induction to prove existence of CEX Model Checking no Concretize abstract counterexample concrete CEX yes Bug found found CEX no Proved Step1. identify pattern Step2. induction proof yes

  15. What’s easy / hard to compute? Easy to compute Hard to compute • Pre-condition computation • Post-condition computation • Transitive Pre- and Post-condition neverdirectlycompute F

  16. Induction Proof

  17. Induction: handling the prefixes F and F’ differ only in the valuations of Vb

  18. Induction: handling the suffixes Theorem 1 F and F’ differ only in the valuations of Vb C0 C1

  19. The Running Example finite-length prefix finite-length suffixes

  20. Outline • Background • Identifying the Counterexample Pattern • Proving the Existence of Counterexample • Experiments • Conclusions

  21. About Implementation: pre*( ) [cf. Dijkstra 1976]

  22. About Implementation: existential quantification Finite domain: BDD (smooth) Linear integer: Polyhedral (F-M elimination) With both: Combination of BDD and Polyhedra [Yang et al. MEMOCODE 2006]

  23. Experiments The GNU bc example with standard CEGAR Induction finds this counterexample in 10 seconds … 256

  24. Experiments bc: GNU bc example Aeon: Aeon-0.02a, Linux mail transfer agent ftpd: wu-ftpd-2.6.2, the ftp daemon run time of standard CEGAR (x-axis: values of the induction parameters)

  25. Conclusions • Induction in CEGAR for detecting long counterexamples • Concretization algorithm to identify counterexample pattern • Induction to prove the existence of counterexamples • Complementary to standard CEGAR (which itself is good for finding proofs) • Well-suited for finding deep bugs • Better than searching for a state-by-state match of the concrete counterexamples • e.g., BMC, predicate abstraction, interpolation • Future work • Static analysis to improve the counterexample pattern identification

More Related