EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

Transcription

1 EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES Arie Gurfinkel, Sagar Chaki and Samir Sapra Carnegie Mellon Uni In NFM11 Presented by Nimrod Partush

2 OUTLINE Introduction Predicate Abstraction CEGAR and Small Block Encoding Predicate Abstraction Query Program summaries and Large Block Encoding Contribution Extending the applicability of LBE Efficiently generating PAQs Efficiently solve PAQs AllSat LDD

3 INTRODUCTION Based on: [2] The software model checker BLAST by Beyer, Henzinger, Jhala & Majumdar [3] Software Model Checking via Large- Block Encoding by Beyer, Cimatti, Griggio, Keremoglu & Sebastiani

4 PREDICATE ABSTRACTION Instead of maintaining the complete state of a program, only care about what you need to verify. Use a set of predicates P = {p 1,, p n } that are required to prove your property and only maintain their Boolean value. In the example P = {x < 0} will suffice. void foo(int x) { int i,j=x/3,k=13*j; if (x<0) x = -x; while (j>3) { int m = k+9; i = m >> 3; j = getchar(); for (int l=0;l<100;l++) { l -= k % m; m++; k /= 22; } printf( %d,k); } if (x<0) exit(exit_failure); return EXIT_SUCCESS; }

5 COUNTEREXAMPLE-GUIDED ABSTRACTION REFINEMENT (CEGAR) Program Code Safety Predicates Abstraction of Program State Counterexample is a real Bug Abstract - Check - Refine Extract Trace and Report to User Predicate abstraction Refine Abstraction Counterexample Does not hold in Real world Verify Safety Properties No Counterexample Specification Holds

6 CEGAR (IN BLAST) Given a program and a safety specification: a Control Flow Automata (CFA) is first built Locations are nodes, Operations are edges L2 Pred(p1 0) x1 := 1 Pred(p1 0) L1 Pred(p1=0) L3 L1: if(p1) { L2: x1 = 1; } L3: if(p1) { L4: if (x1!= 1) goto ERR; } L5: return EXIT_SUCCESS; ERR: return EXIT_FAILURE; Specification expressed in error locations L4 Pred(p1=0) Pred(x1 1) Pred(x1=1) ERR L5 return EXIT_FAILURE return EXIT_SUCCESS EXIT

7 LAZY ABSTRACTION Nothing changed along the transition, since our set of predicates is empty. a.k.a reachable region i.e. an approximation of all possible data states at the path location Then, An Abstract Reachability Tree is derived from the CFA An ART expresses all reachable data states in the program w.r.t. the abstraction Each node is a (location,state) pair (Ultimately nodes also contain stack trace for interprocedural) Construction continues until an error state is reached, or all paths are covered Pred(p1 0) L2 L1 Pred(p1=0) true L1 true Pred(p1 0) Pred(p1=0) true L2 L3 true x1 := 1 Pred(p1 0) Pred(p1=0) L3 true L4 L5 true x1 := 1 Pred(p1 0) L3 Pred(p1 0) Pred(p1=0) Pred(x1 1) Pred(x1=1) Pred(x1 1) L4 Pred(x1=1) Pred(p1=0) true L4 L5 true ERR L5 ERR return EXIT_FAILURE EXIT L5 return EXIT_SUCCESS true Pred(x1 1) ERR Pred(x1=1) L5 true true true

8 ABSTRACTION REFINEMENT L1 true Pred(p1=0) Once an error state is reached, the path is checked to be feasible A path formula is created in SSA form: p1,1 = 0 p1,1 0 x1,1 1 The formula is satisfiable iff the path is feasible in the concrete program Infeasible error path reported due to abstraction being too coarse. true L4 ERR L3 Pred(p1 0) Pred(x1 1) true true

9 PREDICATE DISCOVERY L1 p1,1 = 0 p1,1 0 x1,1 1 The predicate-discovery algorithm takes the path formula and finds new predicates that must be added to the abstraction in order to rule out the infeasible error path. An interpolant is calculated for every node along the infeasible path formula. p1,1 = 0 p1,1 0 x1,1 1 An interpolant at a cut point means what are the parts in the formula so far, that contradict the rest of the formula? The interpolant at L3 is p1,1 = 0, which translates to p1 = 0 in the original program L4 Pred(p1=0) ERR L3 Pred(p1 0) Pred(x1 1) p1,1 = 0 p1,1 0 x1,1 1 p1,1 = 0 p1,1 0 x1,1 1 p1,1 = 0 p1,1 0 x1,1 1

10 ART REFINEMENT The Abstract Reachability Tree is refined The newly found predicate is added at the cut location(s) The CEGAR algorithm continues L1 true Pred(p1 0) Pred(p1=0) true L2 L3 true p1 = 0 x1 := 1 Pred(p1 0) Pred(p1=0) true L3 true L4 L5 true Pred(p1 0) Pred(p1=0) Pred(x1 1) Pred(x1=1) true L4 L5 true ERR L5 Pred(x1 1) Pred(x1=1) true true true ERR L5 true

11 PREDICATE ABSTRACTION QUERY L3 Pred(p1 0) p1 = 0 Once predicates were added, we need to account for operations i.e. which of the predicates became true? which became false? which are unknown? A single SMT call won t always suffice! For instance if predicates are {p1 = 0, x1 = 1} and the operation is p1 = x1 1 then what we really want is p1 = 0 x1 = 1 (p1 0 x1 1) This operation is called a Predicate Abstraction Query (PAQ) and is a core operation of CEGAR PAQ is formally defined as follows: given a set of quantifier-free predicates P, and a quantifier-free formula ψ in some first-order theory, compute the strongest formula G P (ψ) over P that is implied by ψ. L4 false L3 p1:= x1-1 L4 p1 = 0, x1 =? 1? p1 = 0 x1 = 1 ( p1 = 0 x1 = 1 )

12 PAQ GENERATION How can we compute PAQ? Here s another definition: GP ψ = c c is a minterm over P and c ψ is satisfiable } (A minterm over a set of predicates P is a formula p 1 p n q 1 q m where p i, q j P and each predicate appears exactly once) Thus, GP ψ can be computed by enumerating all minterms and using a decision procedure to decide satisfiability. Can also be reduced to quantifier elimination (later on..)

13 SMALL BLOCK ENCODING The BLAST (and others) technique is called Small Block Encoding (SBE) As the program is divided to basic blocks and each operation is encoded individually Problem?? Each transition update in the ART, requires a PAQ which incurs several SMT solver calls Needlessly costly for certain programs As these can be verified using a single SMT call! L1 : if(p1) { L2 : x1 = 1; } L3 : if(p2) { L4 : x2 = 2; } L5 : if(p3) { L6 : x3 = 3; } L7 : if(p1) { L8 : if (x1!= 1) goto ERR; } L9 : if(p2) { L10: if (x2!= 2) goto ERR; } L11: if(p3) { L12: if (x3!= 3) goto ERR; } L13: return EXIT_SUCCESS; ERR: return EXIT_FAILURE;

14 LARGE BLOCK ENCODING Solution! An alternative to SBE is Large-Block Encoding (LBE). LBE lifts predicate abstraction to program summaries (i.e., loop-free program fragments) The first, main step of LBE is the summarization of the program CFA In which each large control-flow subgraph that is free of loops is replaced by a single control-flow edge with a large formula that represents the removed subgraph.

15 PROGRAM SUMMARIES CFA summarization consists of the fixpoint application of two rewriting rules. a.k.a rule summarization Summarizing the CFA = (L, G) is done by iteratively applying two rewriting rules, Sequence and Choice, until they cannot be applied anymore.

16 PROGRAM SUMMARIES Summarize CFA A = (L, G): Rule 1: Sequence If G contains an edge l 1, op 1, l 2 l 1 l 2 There are no other incoming edges to l 2 where: remove it from L and replace all outgoing edges l 2, op i, l i with edges l 1, op 1 ; op i, l i in G the semantics of the new edge becomes the semantics of first applying op 1 on the state, and then applying op i SP opi (SP op1 ψ )

17 PROGRAM SUMMARIES Summarize CFA A = (L, G): Rule 2: Choice If G contains edges l 1, op 1, l 2 and l 1, op 1, l 2, replace them with the edge l 1, op 1 op 2, l 2 And the semantics of the new edge becomes the semantics of applying op 1 on the state disjunct with applying op 2 on the state SP op1 ψ SP op2 ψ

18 PROGRAM SUMMARIES Lets summarize the following program: L1: while (i>0) { L2: if (x==1) { L3: z = 0; } else { L4: z = 1; } L5: i = i-1; L6: } The initial CFA is: [p] means assume(p) i.e. ψ = ψ p s = e means assignment i.e. ψ = s. ψ[ s/s] s = e

19 PROGRAM SUMMARIES rule 1 rule 1 rule 1 rule 2 rule 1 rule 1

20 LBE PAQ Summary semantics for the loop edge (in steps): ψ 1 = i > 0 ψ 2 = ψ 1 x == 1 ψ 1 x 1 = ψ 2 1 ψ 22 ψ 3 = ( z. ψ 21 z/z z = 0 ) ( z. ψ 22 z/z z = 1 ) ψ = i. ψ 3 i/i (i = i 1) Thus the PAQ will need to generate G P ψ for a much larger ψ

21 RECAP: SBE & LBE Both SBE and LBE are an approach for CEGAR Both use predicate abstraction and discover predicates lazily using counterexamples Both build an Abstract Reachability Tree and advance over it using Predicate Abstraction Queries Small Block Encoding handles each operation separately The resulting ART is usually large A lot of small, simple PAQs Large Block Encoding summarizes entire non-looping subgraphs A much smaller ART is produced Fewer PAQs are much more complex L1 : if(p1) { L2 : x1 = 1; } L3 : if(p2) { L4 : x2 = 2; } L5 : if(p3) { L6 : x3 = 3; } L7 : if(p1) { L8 : if (x1!= 1) goto ERR; } L9 : if(p2) { L10: if (x2!= 2) goto ERR; } L11: if(p3) { L12: if (x3!= 3) goto ERR; } L13: return EXIT_SUCCESS; ERR: return EXIT_FAILURE;

22 CONTRIBUTION Further Based On: [4] SMT Techniques for Fast Predicate Abstraction by Lahiri, Nieuwenhuis & Oliveras [5] Decision Diagrams for Linear Arithmetic by Chaki, Gurfinkel & Strichman

23 SECTION OUTLINE 1. Define a broader notion of program summary (contribution #1) 1. And show that it includes the rule summary definition 2. Provide a way to generate such summaries directly from SSA form (contribution #2) 3. Use the generated summary as a PAQ and solve it (contribution #3) 1. Using AllSAT 2. Using LDD

24 PROGRAM SUMMARY V2 Contribution #1: LBE can be performed not only with rule summarization A broader notion for summarization is defined: A program P = V, L, l 0, L ε, T is a summary for a program P = V, L, l 0, L ε, T iff L L l 1, s 1 l n, s n T iff there exists an L -free trace l 1, s 1 l n, s n in the original program P A trace l 1, s 1 l n, s n is L -free iff L l 2,, l n 1 = Note that P preserves semantics L {l 0 } L ε If a state s is reachable in P at label l L then it is also reachable in P

25 LOOP CUTSET SUMMARY Let G = (V,E) be a graph. A set S V is a cycle cutset (or simply a cutset) of G iff S contains a vertex from every cycle in G i.e., the graph (V \ S,E \ ((S V ) (V S))) is acyclic. We call an element s S a cutpoint. A program P = V, L, l 0, L ε, T is a cutset summary of P iff P is a summary of P and L is a cutset of CFG(P). The cutset summary of a program is not unique. Finding a minimal one is NP-complete, but good polynomial approximations exist.

26 RULE SUMMARY IS A SUMMARY Reminder: rule summarization is based on two program transformations, SEQ and CHOICE. We show that each application of a rule results in a summary: Choice Rule: L did not change thus L L T now has new edge, that corresponds to either previous edges => the application of CHOICE is a summary Sequence Rule: A label was removed so L L still holds The op1;op2 edges corresponds to the op1->l2->op2 path, etc. => the application of SEQ is a summary

27 RULE SUMMARY IS A CUTSET SUMMARY A rule summary can be viewed as the limit of the sequence P, P 1, P 2,, P Summry where each P i is the result of applying a rule on P i 1. We only need to show that L Summry is a cutset i.e. it contains a label from each cycle But we know this, as the rule summary decimates loops into single edges, and leaves one label.

28 GENERATING A CUTSET SUMMARY Contribution #2: given a cutset C produce a summary directly from the (SSA form) off the program A more general (and efficient?) way to create summaries And later show how this summary can be used to generate a PAQ

29 SINGLE STATIC ASSIGNMENT A program is in SSA form if each variable is assigned at most once in its syntax. Any program can be efficiently transformed to SSA In addition to normal assignments, SSA uses special φ-assignments. syntax is x PHI(v 1 l 1,, v n l n ) where x is a variable, l 1 l n are locations and v 1 v n are values The PHI -function evaluates to v i if it is reached from l i

30 SSA EXAMPLE int x = 0,y; while(x < 10) { y = 0; while(y < x) { y++; } x++; } 0 : goto 1; 1 : x = PHI(0:0, x_0:4); if (x < 10) goto 2 else goto 5; 2 : y = PHI(0:1, y_0:3); if (y < x) goto 3 else goto 4; 3 : y_0 := y + 1; goto 2; 4 : x_0 := x + 1; goto 1; 5 : In the example, x = PHI(0:0, x_0:4); evaluates to 0 if reached from label 0 (program start) and otherwise evaluates to x_0 if reached from label 4 (within the loop)

31 SSA SEMANTICS Operationally, advancing from l to l means: Performing the label s assignment (note that only assignments have labels) Validating the guard (for example, x < 10 when advancing from 1 to 2) Evaluating the PHI-assignment according to l Thus graphically: 0 : goto 1; 1 : x = PHI(0:0, x_0:4); if (x < 10) goto 2 else goto 5; 2 : y = PHI(0:1, y_0:3); if (y < x) goto 3 else goto 4; 3 : y_0 := y + 1; goto 2; 4 : x_0 := x + 1; goto 1; 5 :

32 GENERATING SUMMARY FROM SSA Summarization is done incrementally, by choosing pairs of labels from the cutset and summarizing their fragment. We show how by example: Summarize the (2,2) fragment with loop cutset C = 0,1,2,5 and predicates y < 0, x < 0 : int x = 0,y; while(x < 10) { y = 0; while(y < x) { y++; } x++; } 1. Gather all locations on the C-free subgraph of P denoted L f = 2, 3 Why can t labels from cuteset C be taken into account?

33 GENERATING SUMMARY FROM SSA Summarize the (2,2) fragment with loop cutset C = 0,1,2,5 and predicates y < 0, x < 0 : 2. Construct a formula conjuncting all assignments in L f denoted A = (y 0 = y + 1) A satisfying assignment for A corresponds to executing all assignments in the fragment at once Remember: there are no contradictions since the program is SSA and the fragment is loop-free

34 GENERATING SUMMARY FROM SSA 3. Next, define a formula R l for all l L f locations: R 3 = (B 3 (B 2 y < x)) R 2 = (B 2 (B 3 y = y 0 )) Intuitively, B l represents whether l is reachable in the execution. Thus R l states that if l is reachable, then its predecessor l is reachable and the guard\assignment on the (l, l ) must be true. The target location 2 gets a special version R 2, where the LHS is primed. Since 2 is a back-edge destination (cutpoint), φ-assignments there could be circularly dependent on another assignment in the fragment. Generally: R l = (B l l Pred l L f (B l G l, l φ(l, l)) R l = (B l l Pred l L f (B l G l, l φ (l, l))

35 GENERATING SUMMARY FROM SSA 4. Next, we define a formula CFG as follows: CFG = B 2 R 2 R 3 Every satisfying assignment to A CFG corresponds to a path in the fragment! Lets try: A CFG = y 0 = y + 1 B 2 (B 2 (B 3 y = y 0 )) (B 3 (B 2 y < x)) B 2 has to be true (the destination must be reachable), thus we are left with: A CFG = (y 0 = y + 1) (y = y 0 ) (y < x) Which indeed corresponds to the (only) path in the fragment Generally (for a (l 1, l 2 ) fragment): CFG = (B l2 R l2 l L f \{l 1,l 2 } R l )

36 GENERATING SUMMARY FROM SSA 5. Finally, we need to account for predicates y < 0, x < 0 : We define one formula for the source predicate abstraction, and on for the destination: Src = (b y y < 0) b x x < 0 Dst = (b y y < 0) b x x < 0 No prime for x as it wasn t assigned to. The resulting PAQ will therefore be: V, V, V l. A CFG Src Dst And for our (2,2) fragment: y 0 = y + 1 B 2 (B 2 (B 3 y = y 0 )) (B 3 (B 2 y < x)) (b y y < 0) b x x < 0 (b y y < 0) b x x < 0 This is very useful!

37 EFFICIENTLY SOLVING GENERATED PAQS Reminder: We want all possible models for b x, b y, b x, b y To soundly check our spec, we need to know if a predicate if necessarily true, false or neither. We want to be able to plug the previous state s b x, b y and get b x, b y instantly Two approaches for solving: AllSat approach Linear Decision Diagram approach

38 ALLSAT AllSAT is another way to leverage SMT solvers to get all models for a formula ψ over a set of predicates P So far we had to enumerate all minterms Calculating G P ψ in AllSAT: 1. G P (ψ) = true 2. Create a formula ψ = (ψ pi P b i p i ) (a new variable b i is added for every predicate) 3. SMT solve ψ and get a model T 4. G P ψ = ( bi is true in T p i ) ( bi is false in T p i) i.e. create a formula representing all the predicates that are true in T and disjunct it to G P ψ 5. ψ = ( bi is true in T b i ) ( bi is false in T b i ) Make sure you don t get the same assignment again by adding a blocking clause 6. Goto 3 This can be improved by performing backtracking, every time a model is found, as if the blocking clause belongs to the clause set [SMT Techniques for Fast Predicate Abstraction]

39 INCREMENTAL ALLSAT Another way is to incrementally refine G P ψ : A sequence of G P k 1 ψ,, G P k m ψ is calculated k Each G i k P ψ is more precise i.e. i 1 k GP ψ over-approximates G i P ψ k G m P ψ is G P ψ k Advantage: an earlier G i P ψ may suffice! The calculation is done by using increasingly sized cubes k i over P

40 INCREMENTAL ALLSAT Example: ψ x < y 2 x > y and P = {p 1, p 2, p 3 } where p 1 is x < 0, p 2 is y = 2 and p 3 is x = 4. G P ψ = For the computation of G P 1 ψ : the AllSAT procedure first finds the minterm p 1 p 2 p 3 and restricts it to size 1 i.e. p 3. After adding the blocking clause p 3, the minterm p 1 p 2 p 3 is found and restricted to p 1. Then, p 1 is added as a blocking clause and since there are no more minterms to be found we finish with G P 1 ψ = p 3 p 1

41 INCREMENTAL ALLSAT G P 1 ψ = p 3 p 1 For G P 2 ψ we start with the minterms already computed in the previous step: We restrict p 1 p 2 p 3 to p 2 p 3. Note that since G P 2 ψ G P 1 ψ, the restriction must include p 3! The blocking clause p 2 p 3 is added. We similarly restrict p 1 p 2 p 3 to p 1 p 2. and p 1 p 2 is added Then the search starts again: First p 1 p 2 p 3 is found and restricted to p 1 p 3 (again, p 1 p 2 would have been a bad choice). The AllSAT procudre is further applied until it arrives at G P 2 ψ = p 2 p 3 p 1 p 2 p 1 p 3 p 1 p 2. At the last phase, since P = 3, we will necessarily arrive at G P ψ

42 SOLVING OUR PAQS WITH ALLSAT Solving A CFG Src Dst with AllSAT is easy, as it s already in the ψ ( pi P(b i p i )) form. Reminder: Src = pi P b i p i, Dst = pi P b i p i We only need to tell AllSAT of our b i, b i variables (for the blocking clause)

43 BINARY DECISION DIAGRAMS Reminder: any binary function can be represented with a binary decision tree Which can be further reduced to a Binary Decision Diagram using two reduction rules BDDs allow applying logical operations (,,,, ) in polynomial time

44 LINEAR DECISION DIAGRAMS An Linear Descision Diagram (LDD) is a BDD with nodes labeled with atomic terms from Linear Arithmetic (LA). An LDD represents a LA formula in the same way a BDD represents a Boolean formula. LDDs support the usual Boolean operations conjunction, disjunction, negation, etc. Boolean quantification, and variable reordering. Additionally, they provide quantification over numeric variables via direct Fourier- Motzkin elimination on the diagram

45 SOLVING OUR PAQS WITH LDD LDDs can be used to solve the PAQ for A CFG Src Dst by quantifier elimination of all variables except the added b p, b p variables! For example, for the previous summary: y 0, y, y, x, B 2, B 3. (y 0 = y + 1) B 2 (B 2 (B 3 y = y 0 )) (B 3 (B 2 y < x)) (b y y < 0) b x x < 0 (b y y < 0) b x x < 0 if we encode it as an LDD and apply quantifier elimination, we will be left with a BDD over b x, b y, b x, b y that will effectively be G P ψ

46 ALGORITHM SUMMARY

47 CONCLUSION CEGAR require Predicate Abstraction Queries solving. These queries vary in length and complexity according to method (SBE vs. LBE). Efficiently generating and solving PAQs motivated further SMT research AllSAT The paper s techniques: 1. Creating LBE PAQs directly from SSA 2. Solving them with LDDs (superior to ALLSAT)