Predicate abstrac,on and interpola,on. Many pictures and examples are borrowed from The So'ware Model Checker BLAST presenta,on.

Similar documents
Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

The Software Model Checker BLAST

Model Checking: An Introduction

W3203 Discrete Mathema1cs. Logic and Proofs. Spring 2015 Instructor: Ilia Vovsha. hcp://

Predicate Abstraction: A Tutorial

Proofs Sec*ons 1.6, 1.7 and 1.8 of Rosen

Introduc)on to Ar)ficial Intelligence

SMT and Its Application in Software Verification

SAT-Based Verification with IC3: Foundations and Demands

Basics of Linear Temporal Proper2es

Monadic Predicate Logic is Decidable. Boolos et al, Computability and Logic (textbook, 4 th Ed.)

IC3 and Beyond: Incremental, Inductive Verification

: Advanced Compiler Design Compu=ng DF(X) 3.4 Algorithm for inser=on of φ func=ons 3.5 Algorithm for variable renaming

CSE P 501 Compilers. Value Numbering & Op;miza;ons Hal Perkins Winter UW CSE P 501 Winter 2016 S-1

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Bellman s Curse of Dimensionality

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Interpolant-based Transition Relation Approximation

or simply: IC3 A Simplified Description

EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

Proposi'onal Logic Not Enough

Lecture 4 Introduc-on to Data Flow Analysis

Static Program Analysis

Outline. Logic. Knowledge bases. Wumpus world characteriza/on. Wumpus World PEAS descrip/on. A simple knowledge- based agent

Be#er Generaliza,on with Forecasts. Tom Schaul Mark Ring

Deductive Verification

Unit 6 Sequences. Mrs. Valen+ne CCM3

Introduc)on. CSC 1300 Discrete Structures Villanova University. Villanova CSC Dr Papalaskari 1

Discrete Structures. Introduc:on. Examples of problems solved using discrete structures. What is discrete about Discrete Structures?

Abstractions and Decision Procedures for Effective Software Model Checking

IC3, PDR, and Friends

Streaming - 2. Bloom Filters, Distinct Item counting, Computing moments. credits:

arxiv: v1 [cs.pl] 21 Oct 2017

CS 6140: Machine Learning Spring What We Learned Last Week 2/26/16

Seman&cs with Dense Vectors. Dorota Glowacka

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Lecture 9: Cri,cal Sec,ons revisited, and Reasoning about Programs. K. V. S. Prasad Dept of Computer Science Chalmers University Monday 23 Feb 2015

Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs

Algorithmic verification

CEGAR:Counterexample-Guided Abstraction Refinement

Func8onal Dependencies

Graphical Models. Lecture 3: Local Condi6onal Probability Distribu6ons. Andrew McCallum

Program Synthesis using Abstraction Refinement

Exercises 1 - Solutions

Variable Names. Some Ques(ons about Quan(fiers (but answers are not proven just stated here!) x ( z Q(z) y P(x,y) )

Applications of Craig Interpolants in Model Checking

REGRESSION AND CORRELATION ANALYSIS

h>p://lara.epfl.ch Compiler Construc/on 2011 CYK Algorithm and Chomsky Normal Form

Lecture Notes on Software Model Checking

CPSC 506: Complexity of Computa5on

Pushing to the Top FMCAD 15. Arie Gurfinkel Alexander Ivrii

Electricity & Magnetism Lecture 3: Electric Flux and Field Lines

Par$cle Filters Part I: Theory. Peter Jan van Leeuwen Data- Assimila$on Research Centre DARC University of Reading

CSCI 1010 Models of Computa3on. Lecture 02 Func3ons and Circuits

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Proof Techniques (Review of Math 271)

Reduced Models for Process Simula2on and Op2miza2on

Automata-Theoretic Model Checking of Reactive Systems

Logic and Modelling. Introduction to Predicate Logic. Jörg Endrullis. VU University Amsterdam

First-Order Theorem Proving and Vampire. Laura Kovács (Chalmers University of Technology) Andrei Voronkov (The University of Manchester)

! Predicates! Variables! Quantifiers. ! Universal Quantifier! Existential Quantifier. ! Negating Quantifiers. ! De Morgan s Laws for Quantifiers

Op#mal Control of Nonlinear Systems with Temporal Logic Specifica#ons

Ranked Predicate Abstraction for Branching Time. Complete, Incremental, and Precise

CS 161: Design and Analysis of Algorithms

The Impact of Craig s Interpolation Theorem. in Computer Science

Hidden Markov Models and Applica2ons. Spring 2017 February 21,23, 2017

Lecture Notes on Inductive Definitions

Incremental Proof-Based Verification of Compiler Optimizations

1.7 Proof Methods and Strategy

Vinter: A Vampire-Based Tool for Interpolation

Rela%ons and Their Proper%es. Slides by A. Bloomfield

Introduction to Logic in Computer Science: Autumn 2006

2-4: The Use of Quantifiers

Propositional Logic: Models and Proofs

Automated Reasoning Lecture 5: First-Order Logic

Outline. Part 5. Computa0onal Complexity (3) Compound Interest 2/15/12. Recurrence Rela0ons: An Overview. Recurrence Rela0ons: Formal Defini0on

Numerical Methods in Physics

PSPACE, NPSPACE, L, NL, Savitch's Theorem. More new problems that are representa=ve of space bounded complexity classes

Proof Rules for Correctness Triples

Incomplete version for students of easllc2012 only. 6.6 The Model Existence Game 99

Short introduc,on to the

Detec%ng and Analyzing Urban Regions with High Impact of Weather Change on Transport

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg

Spectral Algorithms for Graph Mining and Analysis. Yiannis Kou:s. University of Puerto Rico - Rio Piedras NSF CAREER CCF

Networks. Can (John) Bruce Keck Founda7on Biotechnology Lab Bioinforma7cs Resource

LBT for Procedural and Reac1ve Systems Part 2: Reac1ve Systems Basic Theory

Other types of errors due to using a finite no. of bits: Round- off error due to rounding of products

Comments on Black Hole Interiors

CSCI 360 Introduc/on to Ar/ficial Intelligence Week 2: Problem Solving and Op/miza/on. Professor Wei-Min Shen Week 8.1 and 8.2

Chapter 3 Deterministic planning

Infinite-State Backward Exploration of Boolean Broadcast Programs

An overview of SLAM. Albert Oliveras, Enric Rodríguez-Carbonell. Deduction and Verification Techniques Session 5 Fall 2009, Barcelona

MA/CS 109 Lecture 7. Back To Exponen:al Growth Popula:on Models

Cellular automata, entropy and box- coun4ng dimension

COMP 562: Introduction to Machine Learning

Counterexample-Guided Abstraction Refinement

Sta$s$cal Significance Tes$ng In Theory and In Prac$ce

First-Order Theorem Proving and Vampire

Pseudospectral Methods For Op2mal Control. Jus2n Ruths March 27, 2009

CS 250/251 Discrete Structures I and II Section 005 Fall/Winter Professor York

Transcription:

Predicate abstrac,on and interpola,on Many pictures and examples are borrowed from The So'ware Model Checker BLAST presenta,on.

Outline. Predicate abstrac,on the idea in pictures 2. Counter- example guided refinement 3. wp, sp for predicate discovery 4. Interpola,on

The task Given a program, we wish to check it sa,sfies some property: never divide by zero variable x is always posi,ve never call lock() twice in a row The problem: In general, programs have large or (for prac,cal purposes) infinite state spaces: many variables integers Let s say we have two 32bit integer variables, the number of states is 8446744065967025!

Predicate abstrac,on Group concrete states that sa,sfy a certain property together. à finitely many abstract states, labeled by predicates s i Each such concrete state s i consists of program counter state of variables Hence, one node in the CFG can correspond to many different program states.

Predicate abstrac,on We are given the concrete rela,on with transi,ons (s i, s j ) r, i.e whenever we have an edge in the CFG. Using some abstrac,on func,on get corresponding abstract states β β a i = (s i ) and a j = (s j ) and we merge those states whose predicates are the same. β we

Predicate abstrac,on β β a i = (s i ) and a j = (s j ) s i s j Then, if (s i, s j ) r we require (a i, a j ) a.

Predicate abstrac,on β a i = (s i ) and a j = (s j ) Then, if (s i, s j ) r we require (a i, a j ) a. β

Predicate abstrac,on Error Error states are bad states where the property to check does not hold. Safe Reachability ques,on: Is there a path from an ini9al to an error state? Initial

Predicate abstrac,on Is there a path from an ini9al to an error state? We are guaranteed to not get any false nega,ves: if a state is unreachable in abstrac,on, it is unreachable in the concrete state space.

Outline. Predicate abstrac,on the idea in pictures 2. Counter- example guided refinement 3. wp, sp for predicate discovery 4. Interpola,on

False posi,ves Suppose we find a path to some error state. Have we found a true bug in the program? Maybe, or we just found a spurious counterexample. How to check: take the concrete path through the program and construct the formula describing its rela,on feed this formula to a theorem prover path feasible: true bug found, report and finish path infeasible: no bug, refine abstrac,on Note: how we get the concrete path will become obvious later.

Counter- example guided refinement If path is infeasible, add more predicates to dis,nguish paths and rule out this par,cular one. Idea: use infeasible path to generate predicates such that when added, this path will not appear any more. Repeat un,l find a true counterexample system is proven safe,meout

Counter- example guided refinement Suppose we have a black- box tool that can provide us with the missing predicates. P 2 P 3 P We re done, right?

Lazy abstrac,on Not quite... Abstrac,on is expensive: # abstract states is finite, but s,ll too large: 2 # predicates Observa,on: not all predicates are needed everywhere only a frac,on of states is reachable

Abstract reachability tree Initial 2 Unroll the CFG: pick a tree node add children if we revisit a state already seen, cut off 3 4 5 3

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return; unlock lock unlock lock An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock. Calls to lock and unlock must alternate.

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); lock() old = new q=q- >next 2 LOCK 2 Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); [q!=null] 3 2 LOCK LOCK 2 3 Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); q- >data = new unlock() new++ 3 4 2 LOCK LOCK 4 2 3 Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 4 2 LOCK LOCK [new==old] 5 5 4 2 3 Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 4 2 LOCK LOCK 5 unlock() 5 4 2 3 Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 4 2 LOCK LOCK lock() old = new q=q- >next [q!=null] q- >data = new unlock() new++ [new==old] 5 5 unlock() 4 2 3 Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 4 2 LOCK LOCK old = new new++ 2 5 4 3 5 [new==old] Inconsistent new == old Predicates Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); Predicates, new==old Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old 2 lock() old = new q=q- >next 2 Predicates, new==old Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old 2 LOCK, new==old 3, : new = old 4 q- >data = new unlock() new++ 4 2 3 Predicates, new==old Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old 2 LOCK, new==old 3, : new = old 4 [new==old] 4 2 3 Predicates, new==old Reachability Tree

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old 2 LOCK, new==old 3, : new = old 4 [new!=old] 2 4 3, : new == old Predicates, new==old

Example Example ( ) { : do{ lock(); old = new; q = q- >next; 2: if (q!= NULL){ 3: q- >data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old LOCK, new==old 3, : new = old 4 2 4 LOCK, new=old SAFE 5 4 4 2 3 Predicates, new==old, : new == old 5, new==old Reachability Tree

Outline. Predicate abstrac,on the idea in pictures 2. Counter- example guided refinement 3. wp, sp for predicate discovery 4. Interpola,on

How to find the predicates: wp, sp init r s r 2 error We have a path init(x ) r (x, x 2 ) r 2 (x 2, x 3 ) that is infeasible, i.e. set of states at posi,on error is empty. The P is what we are looking for, hence use wp(r 2, false) x, x'. ( P(x) r(x, x') Q(x') ) x, x'.p(x) r(x, x') Q(x') {P r { Q to derive predicates for posi,on s. We effec,vely compute the weakest condi,on such that the error state is not reached.

How to find the predicates: wp, sp init r s r 2 wp(r 2, false) Propagate backwards through the ART to compute predicates for all posi,ons. Alterna,vely, use sp(init, r) to compute predicates forwards. However, wp, sp introduce quan,fiers formulae can become quite complex error

What kind of predicates are needed? init r s r 2 error Suppose our path consists of states s, s 2,, s n. What we want are predicates P i (corresponding to s i ), such that P - > P 2 - > P n- and P n- and P n are inconsistent. à the path has been ruled out. Note: it is always sound to pick predicates at random! P 2 P 3 P

Outline. Predicate abstrac,on the idea in pictures 2. Counter- example guided refinement 3. wp, sp for predicate discovery 4. Interpola,on

So what is the magic? Defini9on: Given two formulas F and G, such that = F - > G, an interpolant for (F, G) is a formula H such that:. = F - > H 2. = H - > G 3. H only contains free variables common to both F and G Craig s interpola9on theorem (957): Let F and G be formulas in first- order logic. If F - > G is valid, then an interpolant for (F, G) always exists. ( but it can contain quan,fiers.)

Examples The examples are all in proposi,onal logic: F: ( P ( Q R) ) H: G: P Q F: H: G: Q F: Q H: G: ( ) ( P P) ( P P) F: (P Q) ( R Q) H: G: (T P) (T R)

Examples The examples are all in proposi,onal logic: F: ( P ( Q R) ) H: P Q G: P Q ( ) ( P P) F: H: G: Q F: Q H: T G: ( P P) F: (P Q) ( R Q) H: G: (T P) (T R) (P R)

Two simple ways of compu,ng an interpolant Suppose F - > G. Let H min elim(9p,p 2,...,p n.f)where{p,p 2,...,p n = FV(F )\FV(G) H max elim(8q,q 2,...,q m.g)where{q,q 2,...,q m = FV(G)\FV(F ) and let I(F, G) be the set of all interpolants for (F, G): I(F, G) ={H H is interpolant for (F, G) Theorem: The following proper,es hold for H min, H max, I(F, G) defined above: () H min 2 I(F, G) (2) 8H 2 I(F, G). = (H min! H) (3) H max 2 I(F, G) (4) 8H 2 I(F, G). = (H! H max ) Effec,vely, H min is the strongest interpolant and H max is the weakest one.

Proof WLOG, let F be over the variables x, y and G over y, z. Then by assumption 8x, y, z.f (x, y)! G(y, z) and for any interpolant H in I it holds 8x, y. F (x, y)! H(y) 8y, z. H(y)! G(y, z) Now, for H min to be an interpolant, it must hold 8x, y. F (x, y)!9x.f(x,y) This statement is equivalent to 8y. (9x. F (x, y))!9x.f(x,y) which is trivially true. Similarly 8y, z.(9x.f(x,y))! G(y, z), 8x,y,z.F(x,y)! G(y, z) hence H min is indeed an interpolant. To show that it is the strongest interpolant consider 8x, y. F (x, y)! H(y) whichisequivalent to 8y. (9x. F (x, y))! H(y) which is what we wanted to show. The proof for H max follows similarly.

Remarks By the last theorem, if a theory has quan,fies elimina,on, then it also has interpolants, e.g. Presburger arithme,c field of complex and real numbers mixed linear and integer constraints But, interpolants may exist even if there is no quan,fier elimina,on (e.g. FOL). There are also other ways of compu,ng them. Some theories do not have interpolants, e.g. quan,fier free theory of arrays F : G : M 0 = wr(m,x,y) (a 6= b) ^ (rd(m,a) 6= rd(m 0,a)) ^ (rd(m,b) 6= rd(m 0,b)) Since the interpolant cannot use x, y, a, b, it has to use quan,fiers.

Alterna,vely Instead of validity of implica,on, we can consider unsa,sfiability. Defini9on: Given two formulas F and G, such that F ^ G is inconsistent, an interpolant for (F, G) is a formula H such that:. = F - > H 2. H ^ G is inconsistent 3. H only contains free variables common to both F and G Intui9on: H is an abstrac,on of F containing just the inconsistent informa,on with G. I.e. H is the reason why F and G are inconsistent. Example: F: 2z 0 y z + 2 0 H: x y 0 3x + y + 0 Interpolant: 2y + 3 0 It is possible to extract interpolants from a proof of F ^ G being inconsistent.

init Pulng it all together r s F r 2 s 2 r 3 error G The informa,on the execu,ng program has at this point contains variables common to F and G.

init Pulng it all together r s F r 2 s 2 r 3 error G Use the interpolant H here as addi,onal predicate. Note: there is way to compute interpolants from the proof of unsa,sfiability of the path.

init Pulng it all together r s F Repeat for all nodes in the ART. r 2 s 2 G r 3 error

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback