Predicate Abstraction: A Tutorial

Size: px

Start display at page:

Download "Predicate Abstraction: A Tutorial"

Neal Day
6 years ago
Views:

1 Predicate Abstraction: A Tutorial Predicate Abstraction Daniel Kroening May

2 Outline Introduction Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Checking the Abstract Model Simulating the Counterexample Refining the Abstraction D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 2

3 Model Checking with Predicate Abstraction A heavy-weight formal analysis technique Recent successes in software verification, e.g., SLAM at Microsoft The abstraction reduces the size of the model by removing irrelevant detail The abstract model is then small enough for an analysis with a BDD-based Model Checker Idea: only track predicates on data, and remove data variables from model Mostly works with control-flow dominated properties D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 3

4 Reminder Abstract Interpretation Abstract Domain Approximate representation of sets of concrete values S α γ Ŝ D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 4

5 Predicate Abstraction as Abstract Domain We are given a set of predicates over S, denoted by Π 1,..., Π n. An abstract state is a valuation of the predicates: Ŝ = B n The abstraction function: α(s) = Π 1 (s),..., Π n (s) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 5

6 Predicate Abstraction: the Basic Idea Concrete states over variables x, y: x = 2 y = 0 x = 2 y = 1 x = 0 y = 0 x = 1 y = 0 x = 1 y = 1 x = 1 y = 2

7 Predicate Abstraction: the Basic Idea Concrete states over variables x, y: x = 2 y = 0 x = 2 y = 1 x = 0 y = 0 x = 1 y = 0 x = 1 y = 1 x = 1 y = 2 Predicates: p 1 x > y p 2 y = 0

8 Predicate Abstraction: the Basic Idea Concrete states over variables x, y: x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 p 1, p 2 x = 0 y = 0 p 1, p 2 p 1, p 2 x = 1 y = 2 Predicates: p 1 x > y p 2 y = 0 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 6

9 Predicate Abstraction: the Basic Idea Concrete states over variables x, y: x = 2 y = 0 p 1, p 2 x = 1 y = 0 Predicates: p 1 x > y p 2 y = 0 x = 2 y = 1 x = 1 y = 1 p 1, p 2 x = 0 y = 0 p 1, p 2 p 1, p 2 x = 1 y = 2 Abstract Transitions? D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 6

10 Existential Abstraction 1 Definition (Existential Abstraction) A model ˆM = ( Ŝ, Ŝ0, ˆT ) is an existential abstraction of M = (S, S 0, T ) with respect to α : S Ŝ iff s S 0. α(s) = ŝ ŝ Ŝ0 and (s, s ) T. α(s) = ŝ α(s ) = ŝ (ŝ, ŝ ) ˆT. 1 Clarke, Grumberg, Long: Model Checking and Abstraction, ACM TOPLAS, 1994 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 7

11 Minimal Existential Abstractions There are obviously many choices for an existential abstraction for a given α. Definition (Minimal Existential Abstraction) A model ˆM = ( Ŝ, Ŝ0, ˆT ) is the minimal existential abstraction of M = (S, S 0, T ) with respect to α : S Ŝ iff s S 0. α(s) = ŝ ŝ Ŝ0 and (s, s ) T. α(s) = ŝ α(s ) = ŝ (ŝ, ŝ ) ˆT. This is the most precise existential abstraction. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 8

12 Existential Abstraction We write α(π) for the abstraction of a path π = s 0, s 1,...: α(π) = α(s 0 ), α(s 1 ),... D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 9

13 Existential Abstraction We write α(π) for the abstraction of a path π = s 0, s 1,...: α(π) = α(s 0 ), α(s 1 ),... Lemma Let ˆM be an existential abstraction of M. The abstraction of every path (trace) π in M is a path (trace) in ˆM. π M α(π) ˆM Proof by induction. We say that ˆM overapproximates M. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 9

14 Abstracting Properties Reminder: we are using a set of atomic propositions (predicates) A, and a state-labelling function L : S P(A) in order to define the meaning of propositions in our properties. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 10

15 Abstracting Properties We define an abstract version of it as follows: First of all, the negations are pushed into the atomic propositions. E.g., we will have x = 0 A and x 0 A D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 11

16 Abstracting Properties An abstract state ŝ is labelled with a A iff all of the corresponding concrete states are labelled with a. a ˆL(ŝ) s α(s) = ŝ. a L(s) This also means that an abstract state may have neither the label x = 0 nor the label x 0 this may happen if it concretizes to concrete states with different labels! D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 12

17 Conservative Abstraction The keystone is that existential abstraction is conservative for certain properties: Theorem (Clarke/Grumberg/Long 1994) Let φ be a CTL* formula where all negations are pushed into the atomic propositions, and let ˆM be an existential abstraction of M. If φ holds on ˆM, then it also holds on M. ˆM = φ M = φ We say that an existential abstraction is conservative for CTL* properties. The same result can be obtained for LTL properties. The proof uses the lemma and is by induction on the structure of φ. The converse usually does not hold. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 13

18 Conservative Abstraction We hope: computing ˆM and checking ˆM = φ is easier than checking M = φ. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 14

19 Back to the Example x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2

20 Back to the Example x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2

21 Back to the Example x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2

22 Back to the Example x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2

23 Back to the Example x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2

24 Back to the Example x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 15

25 Let s try a Property x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2 Property: x > y y 0 p 1 p 2

26 Let s try a Property x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 p 1, p 2 x = 0 y = 0 p 1, p 2 p 1, p 2 x = 1 y = 2 Property: x > y y 0 p 1 p 2 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 16

27 Another Property x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 x = 0 y = 0 p 1, p 2 p 1, p 2 p 1, p 2 x = 1 y = 2 Property: x > y p 1

28 Another Property x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 p 1, p 2 x = 0 y = 0 p 1, p 2 p 1, p 2 x = 1 y = 2 Property: x > y p 1

29 Another Property x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 p 1, p 2 x = 0 y = 0 p 1, p 2 p 1, p 2 x = 1 y = 2 Property: x > y p 1 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 17

30 Another Property x = 2 y = 0 p 1, p 2 x = 1 y = 0 x = 2 y = 1 x = 1 y = 1 p 1, p 2 x = 0 y = 0 p 1, p 2 p 1, p 2 x = 1 y = 2 Property: x > y p 1 But: the counterexample is spurious D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 17

31 SLAM Microsoft blames most Windows crashes on third party device drivers The Windows device driver API is quite complicated Drivers are low level C code SLAM: Tool to automatically check device drivers for certain errors SLAM is shipped with Device Driver Development Kit Full detail available at D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 18

32 SLIC Finite state language for defining properties Monitors behavior of C code Temporal safety properties (security automata) familiar C syntax Suitable for expressing control-dominated properties e.g., proper sequence of events can track data values D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 19

33 SLIC Example unlocked acq rel locked state { enum { Locked, Unlocked} s = Unlocked ; } KeAcquireSpinLock. entry { i f ( s==locked ) abort ; else s = Locked ; } KeReleaseSpinLock. entry { i f ( s==unlocked ) abort ; else s = Unlocked ; }

34 SLIC Example unlocked rel acq rel error locked acq state { enum { Locked, Unlocked} s = Unlocked ; } KeAcquireSpinLock. entry { i f ( s==locked ) abort ; else s = Locked ; } KeReleaseSpinLock. entry { i f ( s==unlocked ) abort ; else s = Unlocked ; } D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 20

35 Refinement Example do { KeAcquireSpinLock (); npacketsold = npackets; if (request) { request = request >Next; KeReleaseSpinLock (); npackets++; } } while(npackets!= npacketsold); KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 21

36 Refinement Example Does this code obey the locking rule? do { KeAcquireSpinLock (); npacketsold = npackets; if (request) { request = request >Next; KeReleaseSpinLock (); npackets++; } } while(npackets!= npacketsold); KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 21

37 Refinement Example do { KeAcquireSpinLock (); if ( ) { KeReleaseSpinLock (); } } while( ); KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 22

38 Refinement Example do { U KeAcquireSpinLock (); L L if ( ) { L L U U } } while( ); KeReleaseSpinLock (); L U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 22

39 Refinement Example do { U KeAcquireSpinLock (); L L if ( ) { L L U U } } while( ); KeReleaseSpinLock (); L U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 22

40 Refinement Example do { U KeAcquireSpinLock (); L L if ( ) { L L U U } } while( ); KeReleaseSpinLock (); L U U E KeReleaseSpinLock (); Is this path concretizable? D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 22

41 Refinement Example U L L L do { KeAcquireSpinLock (); npacketsold = npackets; if (request) { request = request >Next; L KeReleaseSpinLock (); U npackets++; } U } while(npackets!= npacketsold); L U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 23

42 Refinement Example U L L L do { KeAcquireSpinLock (); npacketsold = npackets; if (request) { request = request >Next; L KeReleaseSpinLock (); U npackets++; } U } while(npackets!= npacketsold); L U U E KeReleaseSpinLock (); This path is spurious! D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 23

43 Refinement Example U L L L do { KeAcquireSpinLock (); npacketsold = npackets; if (request) { request = request >Next; L KeReleaseSpinLock (); U npackets++; } U } while(npackets!= npacketsold); L U U E KeReleaseSpinLock (); Let s add the predicate npacketsold==npackets D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 23

44 Refinement Example U L L L do { KeAcquireSpinLock (); npacketsold = npackets; b=true; if (request) { request = request >Next; L KeReleaseSpinLock (); U npackets++; } U } while(npackets!= npacketsold); L U U E KeReleaseSpinLock (); Let s add the predicate npacketsold==npackets D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 23

45 Refinement Example U L L L do { KeAcquireSpinLock (); npacketsold = npackets; b=true; if (request) { request = request >Next; L KeReleaseSpinLock (); U npackets++; b=b?false: ; } U } while(npackets!= npacketsold);!b L U U E KeReleaseSpinLock (); Let s add the predicate npacketsold==npackets D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 23

46 Refinement Example do { U KeAcquireSpinLock (); L b=true; L if ( ) { L L U U KeReleaseSpinLock (); b=b?false: ; } } while(!b ); L U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 24

47 Refinement Example do { U KeAcquireSpinLock (); L b=true; b L if ( ) { L L U U KeReleaseSpinLock (); b=b?false: ; } } while(!b ); L U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 24

48 Refinement Example do { U KeAcquireSpinLock (); L b=true; b L if ( ) { L U KeReleaseSpinLock (); b=b?false: ; b L U } } while(!b ); b L b U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 24

49 Refinement Example do { U KeAcquireSpinLock (); L b=true; b L if ( ) { b L b U KeReleaseSpinLock (); b=b?false: ; b L!b U } } while(!b ); b L b U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 24

50 Refinement Example do { U KeAcquireSpinLock (); L b=true; b L if ( ) { b L b U KeReleaseSpinLock (); b=b?false: ; b L!b U } } while(!b ); b L b U U E KeReleaseSpinLock (); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 24

51 Refinement Example do { U KeAcquireSpinLock (); L b=true; b L if ( ) { b L b U KeReleaseSpinLock (); b=b?false: ; b L!b U } } while(!b ); b L b U U E KeReleaseSpinLock (); The property holds! D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 24

52 Counterexample-guided Abstraction Refinement CEGAR An iterative method to compute a sufficiently precise abstraction Initially applied in the context of hardware [Kurshan] D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 25

53 CEGAR Overview C program 1.) Compute Abstraction 2.) Check Abstraction [no error] OK 4.) Refine Predicates 3.) Check Feasibility [feasible] report counterexample D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 26

54 Counterexample-guided Abstraction Refinement Claims: 1. This never returns a false error. 2. This never returns a false proof. 3. This is complete for finite-state models. 4. But: no termination guarantee in case of infinite-state systems D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 27

55 Computing Existential Abstractions of Programs C program 1.) Compute Abstraction 2.) Check Abstraction [no error] OK 4.) Refine Predicates 3.) Check Feasibility [feasible] report counterexample D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 28

56 Computing Existential Abstractions of Programs i n t main ( ) { i n t i ; } i =0; while ( even ( i ) ) i ++; void main ( ) { bool p1, p2 ; } p1=true; p2=true; while ( p2 ) { p1= p1? FALSE : * ; p2=!p2 ; } C Program D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 29

57 Computing Existential Abstractions of Programs i n t main ( ) { i n t i ; } i =0; while ( even ( i ) ) i ++; + p 1 i = 0 p 2 even(i) void main ( ) { bool p1, p2 ; } p1=true; p2=true; while ( p2 ) { p1= p1? FALSE : * ; p2=!p2 ; } C Program Predicates D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 29

58 Computing Existential Abstractions of Programs i n t main ( ) { i n t i ; } i =0; while ( even ( i ) ) i ++; + p 1 i = 0 p 2 even(i) void main ( ) { bool p1, p2 ; } p1=true; p2=true; while ( p2 ) { p1= p1? FALSE : * ; p2=!p2 ; } C Program Predicates Boolean Program D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 29

59 Computing Existential Abstractions of Programs i n t main ( ) { i n t i ; } i =0; while ( even ( i ) ) i ++; + p 1 i = 0 p 2 even(i) void main ( ) { bool p1, p2 ; } p1=true; p2=true; while ( p2 ) { p1= p1? FALSE : * ; p2=!p2 ; } C Program Predicates Boolean Program Minimal? D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 29

60 Predicate Images Reminder: Image(X) = {s S s X. T (s, s )} We need Îmage( ˆX) = {ŝ Ŝ ŝ ˆX. ˆT (ŝ, ŝ )} Îmage( ˆX) is equivalent to {ŝ, ŝ Ŝ2 s, s S 2. α(s) = ŝ α(s ) = ŝ T (s, s )} This is called the predicate image of T. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 30

61 Enumeration Let s take existential abstraction seriously Basic idea: with n predicates, there are 2 n 2 n possible abstract transitions Let s just check them! D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 31

62 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i)

63 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++;

64 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1

65 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p p 1 p 2 p

66 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p ? p 1 p 2 p

67 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p ? p 1 p 2 p Query to Solver i 1 i 2 even(i) i = i + 1 i 1 i 2 even(i ) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 32

68 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p p 1 p 2 p Query to Solver i 1 i 2 even(i) i = i + 1 i 1 i 2 even(i ) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 32

69 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p ? p 1 p 2 p Query to Solver i 1 i 2 even(i) i = i + 1 i 1 i 2 even(i ) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 32

70 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p p 1 p 2 p Query to Solver i 1 i 2 even(i) i = i + 1 i 1 i 2 even(i ) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 32

71 Enumeration: Example Predicates p 1 i = 1 p 2 i = 2 p 3 even(i) Basic Block i++; T i = i + 1 p 1 p 2 p p 1 p 2 p Query to Solver... and so on... D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 32

72 Predicate Images Computing the minimal existential abstraction can be way too slow Use an over-approximation instead Fast(er) to compute But has additional transitions Examples: Cartesian approximation (SLAM) FastAbs (SLAM) Lazy abstraction (Blast) Predicate partitioning (VCEGAR) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 33

73 Checking the Abstract Model C program 1.) Compute Abstraction 2.) Check Abstraction [no error] OK 4.) Refine Predicates 3.) Check Feasibility [feasible] report counterexample D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 34

74 Checking the Abstract Model No more integers! But: All control flow constructs, including function calls (more) non-determinism BDD-based model checking now scales D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 35

75 Finite-State Model Checkers: SMV 1 Variables VAR b0 argc ge 1 : boolean ; argc >= 1 VAR b1 argc le : boolean ; argc <= VAR b2 : boolean ; argv [ argc ] == NULL VAR b3 nmemb ge r : boolean ; nmemb >= r VAR b4 : boolean ; p1 == &array [ 0 ] VAR b 5 i g e 8 : boolean ; i >= 8 VAR b 6 i g e s : boolean ; i >= s VAR b7 : boolean ; 1 + i >= 8 VAR b8 : boolean ; 1 + i >= s VAR b 9 s g t 0 : boolean ; s > 0 VAR b10 s gt 1 : boolean ; s > 1... D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 36

76 Finite-State Model Checkers: SMV 2Control Flow program counter : 56 i s the t e r m i n a t i n g PC VAR PC: ; ASSIGN i n i t (PC) : = 0 ; i n i t i a l PC ASSIGN next (PC) : = case PC=0: 1; other PC=1: 2; other... PC=19: case goto ( w i t h guard ) guard19 : 26; 1: 20; esac ;... D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 37

77 Finite-State Model Checkers: SMV 3 Data TRANS (PC=0) > next ( b0 argc ge 1 ) = b0 argc ge 1 & next ( b1 argc le )= b1 argc le & next ( b2)=b2 & (! b30 b36 ) & (! b17! b30 b42 ) & (! b30! b42 b48 ) & (! b17! b30! b42 b54 ) & (! b54 b60 ) TRANS (PC=1) > next ( b0 argc ge 1 ) = b0 argc ge 1 & next ( b1 argc le ) = b1 argc le & next ( b2)=b2 & next ( b3 nmemb ge r )= b3 nmemb ge r & next ( b4)=b4 & next ( b 5 i g e 8 )= b 5 i g e 8 & next ( b 6 i g e s )= b 6 i g e s... D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 38

78 Finite-State Model Checkers: SMV 4 Property the s p e c i f i c a t i o n f i l e main. c l i n e 20 column 12 f u n c t i o n c : : v e r y b u g g y f u n c t i o n SPEC AG ( (PC=51) >! b23 ) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 39

79 Finite-State Model Checkers: SMV If the property holds, we can terminate If the property fails, SMV generates a counterexample with an assignment for all variables, including the PC D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 40

80 Simulating the Counterexample C program 1.) Compute Abstraction 2.) Check Abstraction [no error] OK 4.) Refine Predicates 3.) Check Feasibility [feasible] report counterexample D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 41

81 Lazy Abstraction The progress guarantee is only valid if the minimal existential abstraction is used. Thus, distinguish spurious transitions from spurious prefixes. Refine spurious transitions separately to obtain minimal existential abstraction SLAM: Constrain D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 42

82 Lazy Abstraction One more observation: each iteration only causes only minor changes in the abstract model Thus, use incremental Model Checker, which retains the set of reachable states between iterations (BLAST) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 43

83 Example Simulation int main() { int x, y; y=1; x=1; if (y>x) y ; else y++; assert(y>x); } Predicate: y>x main() { bool b0; // y>x b0=*; b0=*; if (b0) b0=*; else b0=*; assert(b0 ); }

84 Example Simulation int main() { int x, y; y=1; x=1; if (y>x) y ; else y++; assert(y>x); } Predicate: y>x main() { bool b0; // y>x b0=*; b0=*; if (b0) b0=*; else b0=*; assert(b0 ); } D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 44

85 Example Simulation int main() { int x, y; y=1; x=1; if (y>x) y ; else y++; assert(y>x); } D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 45

86 Example Simulation int main() { int x, y; y=1; x=1; if (y>x) y ; else y++; assert(y>x); } We now do a path test, so convert to SSA. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 45

87 Example Simulation int main() { int x, y; y 1 =1; x 1 =1; if (y 1 >x 1 ) y 2 =y 1 1; else y++; assert(y 2 >x 1 ); } D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 46

88 Example Simulation int main() { int x, y; y 1 =1; x 1 =1; if (y 1 >x 1 ) y 2 =y 1 1; else y++; y 1 = 1 x 1 = 1 y 1 > x 1 y 2 = y 1 1 (y 2 > x 0 ) } assert(y 2 >x 1 ); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 46

89 Example Simulation int main() { int x, y; y 1 =1; x 1 =1; if (y 1 >x 1 ) y 2 =y 1 1; y 1 = 1 x 1 = 1 y 1 > x 1 y 2 = y 1 1 } else y++; assert(y 2 >x 1 ); (y 2 > x 0 ) This is UNSAT, so ˆπ is spurious. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 46

90 Refining the Abstraction C program 1.) Compute Abstraction 2.) Check Abstraction [no error] OK 4.) Refine Predicates 3.) Check Feasibility [feasible] report counterexample D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 47

91 Manual Proof! int main() { int x, y; y=1; x=1; if (y>x) y ; else y++; } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 48

92 Manual Proof! int main() { int x, y; y=1; {y = 1} x=1; if (y>x) y ; else y++; } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 48

93 Manual Proof! int main() { int x, y; y=1; {y = 1} x=1; {x = 1 y = 1} if (y>x) y ; else y++; } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 48

94 Manual Proof! int main() { int x, y; y=1; {y = 1} x=1; {x = 1 y = 1} if (y>x) y ; else {x = 1 y = 1 y > x} y++; } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 48

95 Manual Proof! int main() { int x, y; y=1; {y = 1} x=1; {x = 1 y = 1} if (y>x) y ; else {x = 1 y = 1 y > x} This proof uses strongest post-conditions y++; {x = 1 y = 2 y > x} } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 48

96 An Alternative Proof int main() { int x, y; y=1; x=1; if (y>x) y ; else y++; } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 49

97 An Alternative Proof int main() { int x, y; y=1; x=1; if (y>x) y ; else } y++; {y > x} assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 49

98 An Alternative Proof int main() { int x, y; y=1; x=1; if (y>x) y ; else {y + 1 > x} } y++; {y > x} assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 49

99 An Alternative Proof int main() { int x, y; y=1; x=1; { y > x y + 1 > x} if (y>x) y ; else {y + 1 > x} y++; {y > x} } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 49

100 An Alternative Proof int main() { int x, y; y=1; { y > 1 y + 1 > 1} x=1; { y > x y + 1 > x} if (y>x) y ; else {y + 1 > x} y++; {y > x} } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 49

101 An Alternative Proof int main() { int x, y; y=1; { y > 1 y + 1 > 1} x=1; { y > x y + 1 > x} if (y>x) y ; else {y + 1 > x} y++; {y > x} We are using weakest pre-conditions here wp(x:=e, P ) = P [x/e] wp(s;t, Q) = wp(s, wp(t, Q)) wp(if(c) A else B, P ) = (B wp(a, P )) ( B wp(b, P )) The proof for the true branch is missing } assert(y>x); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 49

102 Refinement Algorithms Using WP 1. Start with failed guard G 2. Compute wp(g) along the path Using SP 1. Start at beginning 2. Compute sp(...) along the path Both methods eliminate the trace Advantages/disadvantages? D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 50

103 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: x 1 = 10 y 1 = x y 2 = y y 2 30

104 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: x 1 = 10 y 1 = x y 2 = y y 2 30 x 1 = 10

105 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: x 1 = 10 y 1 = x y 2 = y y 2 30 x 1 = 10 y 1 = 20

106 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: x 1 = 10 y 1 = x y 2 = y y 2 30 x 1 = 10 y 1 = 20 y 2 = 30

107 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: x 1 = 10 y 1 = x y 2 = y y 2 30 x 1 = 10 y 1 = 20 y 2 = 30 false

108 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: A 1 A 2 {}}{{}}{{}}{{}}{ x 1 = 10 y 1 = x y 2 = y y 2 30 x 1 = 10 y 1 = 20 y 2 = 30 false A 3 A 4

109 Predicate Refinement for Paths Recall the decision problem we build for simulating paths: A 1 A 2 {}}{{}}{{}}{{}}{ x 1 = 10 y 1 = x y 2 = y y 2 30 x 1 = 10 }{{} y 1 = 20 }{{} y 2 = 30 }{{} false }{{} A 1 A 2 A 3 A 4 A 3 A 4 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 51

110 Predicate Refinement for Paths For a path with n steps: A 1 A 2 A 3... A n true A 1 A 2 A 3 A n 1 false D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 52

111 Predicate Refinement for Paths For a path with n steps: A 1 A 2 A 3... A n true A 1 A 2 A 3 A n 1 false Given A 1,..., A n with i A i = false A 0 = true and A n = false (A i 1 A i) A i for i {1,..., n} D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 52

112 Predicate Refinement for Paths For a path with n steps: A 1 A 2 A 3... A n true A 1 A 2 A 3 A n 1 false Given A 1,..., A n with i A i = false A 0 = true and A n = false (A i 1 A i) A i for i {1,..., n} Finally, Vars(A i ) (Vars(A 1... A i ) Vars(A i+1... A n )) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 52

113 Predicate Refinement for Paths Special case n = 2: A B = false A A A B = false Vars(A ) (Vars(A) Vars(B)) D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 53

114 Predicate Refinement for Paths Special case n = 2: A B = false A A A B = false Vars(A ) (Vars(A) Vars(B)) W. Craig s Interpolation theorem (1957): such an A exists for any first-order, inconsistent A and B. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 53

115 Predicate Refinement with Craig Interpolants For propositional logic, a propositional Craig Interpolant can be extracted from a resolution proof ( SAT!) in linear time Interpolating solvers available for linear arithmetic over the reals and integer difference logic with uninterpreted functions Not possible for every fragment of FOL: x = 2y and x = 2z + 1 with x, y, z Z D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 54

116 Predicate Refinement with Craig Interpolants For propositional logic, a propositional Craig Interpolant can be extracted from a resolution proof ( SAT!) in linear time Interpolating solvers available for linear arithmetic over the reals and integer difference logic with uninterpreted functions Not possible for every fragment of FOL: x = 2y and x = 2z + 1 with x, y, z Z The interpolant is x is even D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 54

117 Craig Interpolation for Linear Inequalities 0 x 0 y 0 c 1 x + c 2 y with 0 c 1, c 2 Cutting-planes Naturally arise in Fourier-Motzkin or Simplex D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 55

118 Example A = (0 x y) (0 y z 1) B = (0 z x)

119 Example A = (0 x y) (0 y z 1) B = (0 z x) 0 y z 1 0 z x

120 Example A = (0 x y) (0 y z 1) B = (0 z x) 0 y z 1 0 z x 0 y x 1

121 Example A = (0 x y) (0 y z 1) B = (0 z x) 0 y z 1 0 z x 0 y x 1 0 x y 0 1

122 Example A = (0 x y) (0 y z 1) B = (0 z x) 0 y z 1 0 z x 0 y x 1 0 x y y z y z 1 0 x y 0 x z 1

123 Example A = (0 x y) (0 y z 1) B = (0 z x) 0 y z 1 0 z x 0 y x 1 0 x y y z y z 1 0 x y 0 x z 1 z x 1 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 56

124 Example A = (0 x y) (0 y z 1) B = (0 z x) 0 y z 1 0 z x 0 y x 1 0 x y y z y z 1 0 x y 0 x z 1 z x 1 Just sum the inequalities from A, and you get an interpolant! D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 56

125 Approximating Loop Invariants: SP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The SP refinement results in sp(x=y=0, true) = x = 0 y = 0 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 57

126 Approximating Loop Invariants: SP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The SP refinement results in sp(x=y=0, true) = x = 0 y = 0 sp(x++; y++,...) = x = 1 y = 1 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 57

127 Approximating Loop Invariants: SP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The SP refinement results in sp(x=y=0, true) = x = 0 y = 0 sp(x++; y++,...) = x = 1 y = 1 sp(x++; y++,...) = x = 2 y = 2 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 57

128 Approximating Loop Invariants: SP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } a s s e rt ( y ==10); The SP refinement results in sp(x=y=0, true) = x = 0 y = 0 sp(x++; y++,...) = x = 1 y = 1 sp(x++; y++,...) = x = 2 y = 2 sp(x++; y++,...) = x = 3 y = iterations required to prove the property. It won t work if we replace 10 by n. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 57

129 Approximating Loop Invariants: WP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The WP refinement results in wp(x==10, y 10) = y 10 x = 10 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 58

130 Approximating Loop Invariants: WP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The WP refinement results in wp(x==10, y 10) = y 10 x = 10 wp(x++; y++,...) = y 9 x = 9 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 58

131 Approximating Loop Invariants: WP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The WP refinement results in wp(x==10, y 10) = y 10 x = 10 wp(x++; y++,...) = y 9 x = 9 wp(x++; y++,...) = y 8 x = 8 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 58

132 Approximating Loop Invariants: WP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } The WP refinement results in wp(x==10, y 10) = y 10 x = 10 wp(x++; y++,...) = y 9 x = 9 wp(x++; y++,...) = y 8 x = 8 wp(x++; y++,...) = y 7 x = 7 a s s e rt ( y ==10); D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 58

133 Approximating Loop Invariants: WP i n t x, y ; x=y =0; while ( x!=10) { x ++; y ++; } a s s e rt ( y ==10); The WP refinement results in wp(x==10, y 10) = y 10 x = 10 wp(x++; y++,...) = y 9 x = 9 wp(x++; y++,...) = y 8 x = 8 wp(x++; y++,...) = y 7 x = 7... Also requires 10 iterations. It won t work if we replace 10 by n. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 58

134 What do we really need? Consider an SSA-unwinding with 3 loop iterations: x 1 = 0 y 1 = 0

135 What do we really need? Consider an SSA-unwinding with 3 loop iterations: x 1 = 0 y 1 = 0 1st It. x 1 10 x 2 = x 1 +1 y 2 = y 1 +1

136 What do we really need? Consider an SSA-unwinding with 3 loop iterations: x 1 = 0 y 1 = 0 1st It. x 1 10 x 2 = x 1 +1 y 2 = y nd It. x 2 10 x 3 = x 2 +1 y 3 = y 2 +1

137 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1

138 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10

139 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0

140 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1

141 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = 2 y 3 = 2

142 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = 2 y 3 = 2 x 4 = 3 y 4 = 3 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 59

143 What do we really need? Consider an SSA-unwinding with 3 loop iterations: 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = 2 y 3 = 2 x 4 = 3 y 4 = 3 This proof will produce the same predicates as SP. D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 59

144 Split Provers Idea: P 1 P 2 P 3... P n Each prover P i only knows A i, but they exchange facts We require that each prover only exchanges facts with common symbols Plus, we restrict the facts exchanged to some language L D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 60

145 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10

146 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0

147 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 61

148 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = 2 y 3 = 2 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 61

149 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = 2 y 3 = 2 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 61

150 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = y 3 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 61

151 Back to the Example Restriction to language L = no new constants : 1st It. 2nd It. 3rd It. Assertion x 1 = 0 y 1 = 0 x 1 10 x 2 = x 1 +1 y 2 = y 1 +1 x 2 10 x 3 = x 2 +1 y 3 = y 2 +1 x 3 10 x 4 = x 3 +1 y 4 = y 3 +1 x 4 = 10 y 4 10 x 1 = 0 y 1 = 0 x 2 = 1 y 2 = 1 x 3 = y 3 x 4 = y 4 D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 61

152 Invariants from Restricted Proofs The language restriction forces the solver to generalize! Algorithm: If the proof fails, increase L! If we fail to get a sufficiently strong invariant, increase n. This does work if we replace 10 by n! D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 62

153 Invariants from Restricted Proofs The language restriction forces the solver to generalize! Algorithm: If the proof fails, increase L! If we fail to get a sufficiently strong invariant, increase n. This does work if we replace 10 by n!? Which L 1, L 2,... is complete for which programs? D. Kroening: SSFT12 Predicate Abstraction: A Tutorial 62

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1 using Predicate Abstraction and Iterative Refinement: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 28, 2011 Outline Overview of Model Checking Creating Models